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Abstract. We propose a type-based resource usage analysis for the vr-calculus extended 
with resource creation/access primitives. The goal of the resource usage analysis is to 
statically check that a program accesses resources such as files and memory in a valid 
manner. Our type system is an extension of previous behavioral type systems for the n- 
calculus. It can guarantee the safety property that no invalid access is performed, as well as 
the property that necessary accesses (such as the close operation for a file) are eventually 
performed unless the program diverges. A sound type inference algorithm for the type 
system is also developed to free the programmer from the burden of writing complex type 
annotations. Based on our algorithm, we have implemented a prototype resource usage 
analyzer for the 7r-calculus. To the authors' knowledge, this is the first type-based resource 
usage analysis that deals with an expressive concurrent language like the 7r-calculus. 



Computer programs access many external resources, such as files, library functions, 
device drivers, etc. Such resources are often associated with certain access protocols; for 
example, an opened file should be eventually closed and after the file has been closed, 
no read/write access is allowed. The aim of resource usage analysis is to statically 
check that programs conform to such access protocols. Although a number of approaches, 
including type systems and model checking, have been proposed so far for the resource 
usage analysis or similar analyses 13 most of them focused on analysis of 

sequential programs, and did not treat concurrent programs, especially those involving 
dynamic creation/passing of channels and resources. 

In the present paper, we propose a type-based method of resource usage analysis for 
concurrent languages. Dealing with concurrency is especially important because concurrent 
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programs are hard to debug, and also because actual programs accessing resources are often 
concurrent. We use the vr-calculus (extended with resource primitives) as a target language 
so that our analysis can be applied to a wide range of concurrency primitives (including 
those for dynamically creating and passing channels) in a uniform manner. 

A main new difficulty in dealing with concurrent programs is that control structures are 
more complex in concurrent programs than in sequential programs. For example, consider 
the following process Pi: 

(vc) (read(x).c( ) | c( ). close(x)) 

Here, read(x).c() reads x and then sends a signal on channel c, and in parallel to that, 
c( ). close(x) waits for a signal on channel c and then closes x. Because of the synchroniza- 
tion through channel c, x is closed only after being read. To capture this kind of causal 
dependency between communications and resource access, we use CCS processes as extra 
type information (which are called behavioral types). For example, the above process is 
given the behavioral type (uc) {x^.c \ c. x'-'). 

Using the behavioral types introduced above, we can construct a type system for re- 
source usage analysis in a manner similar to previous behavioral type systems for the vr- 
calculus ^1 0]. A type judgment is of the form T > P : A, where P is the usual type 
environment and ^ is a behavioral type approximating the behavior of P on the free chan- 
nels and resources. For example, the above process Pi is typed x : resi>Pi : (uc) {x^.c \ c. x^). 
Behavioral types are also used to augment channel types. The judgment for s{x). Pi is given 
by: 

r l> s{x).Pi : s 

where F = s:chan((x:res)(i/c) {x^.c \ c. x^)). Here, the behavioral type of s{x). Pi is simply 
a single input command s: the characteristic feature of this kind of type system is that the 
behavior of the input continuation is accounted for at output, not at input. The channel 
s has argument type {x:res){vc) {x^.c\c.x^), which specifies that the resource sent along 
channel s will be read first and then closed. Using the same type environment, the output 
process s(r) is typed as: 

F,r:res \> s{r) : s. (i^c) (r^.c | c. r*^) 

Here the behavioral type is an output followed by a continuation. The continuation 
(uc) {r^.c I c. r^') has been obtained by substituting r for x in the argument type of s. In this 
way, the types propagate information about how resources and channels passed thorough 
channels are accessed. 

An important property of our type system is that types express abstract behavior of 
processes, so that certain properties of processes can be verified by verifying the corre- 
sponding properties of their types, using, for example, model checking techniques. The 
latter properties (of behavioral types) are more amenable to automatic verification tech- 
niques like model checking than the former ones, because the types do not have channel 
mobility and also because the types typically represent only the behavior of a part of the 
entire process. 

The technical contributions of the present work are summarized as follows. 
• Formalization of type systems for resource usage analysis for the vr-calculus, and 
proof of their soundness. We have augmented previous behavioral types for the vr- 
calculus with hiding and renaming constructors, and adapted them to the problem 
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of resource usage analysis. CCS-like processes have been used as types also in pre- 
vious work on type systems for the vr-calculus ^1 ^ . Igarashi and Kobayashi |^ , 
however, used a fragment without hiding and renaming, and Chaki et al. used a 
fragment without renaming, while the present paper uses both hiding and renam- 
ing. The inclusion of hiding and renaming is important both for accuracy and for 
automatic inference (see Remark I3.1'2() . 

• Realization of fully automatic verification (while making the analysis more precise 
than jlOj). Igarashi and Kobayashi jlOj gave only an abstract type system, without 
giving a concrete type inference algorithm. Chaki et al. [Sj requires type annotations. 
The full automation was enabled by a combination of a number of small ideas, like 
inclusion of hiding and renaming as type constructors, and approximation of a CCS- 
like type by a Petri net (to reduce the problem of checking conformance of inferred 
types to resource usage specification). 

• Verification of not only the usual safety property that an invalid resource access 
does not occur, but also an extended safety (which we call partial liveness) that 
necessary resource accesses (e.g. closing of a file) are eventually performed unless 
the whole process diverges. The partial liveness is not guaranteed by Chaki et al.'s 
type system jSj. A noteworthy point about our type system for guaranteeing the 
partial liveness is that it is parameterized by a mechanism that guarantees deadlock- 
freedom (in the sense of Kobayashi's definition Jl]). So, our type system can be 
combined with any mechanism (model checking, abstract interpretation, another 
type system, or whatever) to verify deadlock-freedom for deadlock- or lock-freedom 
(e.g., Yoshida's graph type system [25|). 

• Implementation of a prototype resource usage analyzer based on the proposed 

method. The implementation can be tested at http : //www . yl . is . s . u-tokyo . ac . jp/~kohe i/usage-j 

The rest of this paper is structured as follows. Section |21 introduces an extension of 
the TT-calculus with primitives for creating and accessing resources. Section |21 introduces a 
type system for resource usage analysis, which guarantees that well-typed processes never 
perform an invalid resource access. Section 0] gives a type inference algorithm for the type 
system. Section El extends the type system to guarantee that necessary resource accesses 
(such as closing of opened files) are eventually performed (unless the program diverges). 
Section ini describes a prototype resource usage analyzer we have implemented based on the 
present work. Section [3 discusses related work. Section |H1 concludes. 

2. Processes 

This section introduces the syntax and the operational semantics of our target language. 



2.1. Syntax. 

Definition 2.1 (processes). The set of processes is defined by the following syntax. 

P (processes) ::= \x{vi, . . . ,Vn) ■ P \ x{yi, . . . ,yn)- P 
I (P I Q) I if i; then P else Q 
I (ra) P\*P\ acc^{x).P I {m'^x)P 

V (values) ::= x \ true | false 
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Here, x, y, and z range over a countably infinite set Var of variables. ^ ranges over a set of 
labels called access labels. called a trace set, denotes a set of sequences of access labels 
that is prefix-closed. The prefixes (like (z/x) and {^^x)) bind tighter than the parallel 
composition | . 

An access label specifies the kind of an access operation. Typical access labels that we 
are going to use in this paper are: / for initialization, R for read, W for write, and C for 
close. 

Process acc^{x).P accesses the resource x, and then behaves like P. We will often write 
init(a;).P, read(x).P, write(x).P, and close(x).P for acci{x).P, acc^(x).P, acct^(x).P, 
accc{x).P. Process creates a new resource with the bound name x that should be 

accessed according to ^, and then behaves like P. $ specifies a set of acceptable sequences 
of operations that are allowed for the new resource x. For example, {m^^(^+^^'^'^* x)P 
creates a resource that should be first initialized, read or written an arbitrary number of 
times, and then closed. Here, (5)* is the prefix closure of S, i.e., {s \ ss' e S}. We write e 
for the empty sequence. 

We often abbreviate a sequence vi,...,Vn to v, and write x{v).P and x(jj).P for 
x{vi, . . . , Vn)- P and x{yi, . . . , P. We often omit trailing and write x{v) and acc^(x) 
for x{v).0 and acc^(x).0 respectively. 

The bound and free variables of P are defined in a customary manner; also 
binds X. We identify processes up to a-conversion, and assume that a-conversion is implicity 
applied so that bound variables are always different from each other and from free variables. 



2.2. Operational Semantics. We now formally define the operational semantics of our 
process calculus The operational semantics is almost the same as the standard reduction 
semantics for the 7r-calculus, except that trace sets $ (which represent how resources should 
be accessed in future) may change during reduction. 

Definition 2.2. The structural preorder ^ is the least reflexive and transitive relation 
closed under the rules in Figure ^(-P = Q stands for {P ^ Q) A {Q ^ P)). 

Remark 2.3. As in our previous behavioural type systems for the vr-calculus |1U1 1141 [T^ . 

the structural relation is asymmetric. If the standard, symmetric structural relation were 
used, the type preservation property would not hold: F > *P \P : A does not necessarily 
imply F > *P : A) for the type system introduced in the next section. 

Definition 2.4. The set of reduction labels, ranged over by L, is {x^ \ x G Var} U {r}. We 
define target (L) by: 

target (x^) = {x} target (t) = 

Definition 2.5. Let <I> be a set of sequences of access labels. is defined by: = 

{s [ G 

Definition 2.6. The reduction relation -—f is the least relation closed under the rules in 
Figure [2 

We write P — > Q when P — ^ Q for some L. We write — >* for the reflexive and 
transitive closure of — >. 

Notice that when an invalid access to a resource occurs (i.e. when the program accesses 
^ but the specification <I> has no ^-prefixes), then resource specification ^ is set to by 
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P = P 


(SP-Zero) 


P\Q = Q\P 


(SP-Commut) 


P\{Q\R) = {P\Q)\R 


(SP-Assoc) 


*P ^ *P 1 P 




(ux) P\Q ^ {ux) (P 1 Q)(if X not free in Q) 


(SP-New) 


{m^x)P 1 Q ^ {m^x){P 1 (5)(if X not free in Q) 


(SP-NewR) 


P ^ P' Q ^ Q' 
P 1 Q ^ P' 1 Q' 


(SP-Par) 


P^ Q 
(iva;) P ^ (i/a;) Q 


(SP-CNew) 


P=<Q 


(SP-CNewR) 



Figure 1: Structural Preorder 



x{I}.P\x{y).Q^P\[z/y\Q (R-Com) 
acc5(a;).P ^ P (R-Acc) 



— (R-Par) 

p|p-^g|p 

if true then P else Q ^P (R-IfT) 

if false then P else Q (R-IfF) 



Figure 2: Reduction Relation 

(R-NewR1). On the other hand $ ~D {e} indicates a resource that has been correctly used 
so far, and $ = {e} indicates one that has been correctly and completely used. 

Definition 2.7. A process P is resource-safe if it does not contain a sub-expression of the 
form {^^x)Q. 



— ^ Q X ^ tarqet(L) 

^— ^ (R-New) 

{i^x) P {i^x) Q 

P o 

(R-NewRI) 

^x)P (9t* x)Q 

' — ^ Q X 4 tarqet(L) 

^— (R-NEWR2) 

(fR*a;)P (9t*a;)Q 

( P' P' ^Q' Q' -<Q 

j—^ — (R-SP) 
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We give a type system guaranteeing that any resource-safe, well-typed process cannot 
be reduced to a non-safe process (in other words, any resource-safe, well-typed process never 
performs an invalid access) in Section |21 

Example 2.8. The following process first creates a resource x that should be first initialized, 
read an arbitrary number of times, and then closed. It then spawns four processes; they 
synchronize through channels ci and C2, so that x is accessed in a valid order. 

(9l(^^*^)*x)(z^Cl)(l/C2) ( 

init(x).(ci ( ) \ ci{)) /* initialize x, and send signals */ 
\ci{). read (x) .C2 ( ) /* wait for a signal on ci , 

then read x, and signal on C2 */ 
\ci{). read(x).C2 ( ) /* wait for a signal on c\, 

then read x, and signal on C2 */ 
I ). ). close (x) ) /* wait on C2, then close x */ 

□ 

Example 2.9. The following program is prototypical of recursive functions. There is a 
replicated service which listens on channel s; it either terminates the recursion by sending a 
message back on the reply channel r, or it recursively invokes a sub- instance of itself which 
will reply on a private channel r' . In this example each recursive step does a read(x). The 
following program use an integer to decide whether or not to recurse. Though our language 
does not have integers and operations on them as primitives, it is trivial to extend our 
language and type system with those primitives. 
(us) ( *(s(n, X, r). if n = then r () 

else (vr') (s(n — 1, x, r') \ r'(). read(2;).r ()) 
I [^{IR*C)* x){vr) (init(x).s(lOO, x, r) \ r(). close(a;)) ) 
□ The above program corresponds to the following higher-level program: 
init(x); parbegin read(x) ; read(x) parend; close (x) 

Example 2.10. Consider the following producer/consumer program:^ 
[vproducer) {uconsumer) 

*{producer{b,p, c).p{). accp(6).(c() | producer {b,p, c))) | 
*{consumer{b,p,c). c{). accG(b).{p{) \ producer {b,p,c))) \ 
(^^(i'PGr)*buf)iux) (uy) 

* (producer {buf , x, y)) \ * {consumer {buf , x, y)) | x() 

The first two processes * {producer (b, p, c) . • • • ) and 

*{consumer(b,p,c). ■■■) define the behavior of producers and consumers. A producer re- 
peatedly waits to receive a signal on p, performs a put on the buffer b (by accp(6)), and 
then sends a signal on c. A consumer repeatedly waits to receive a signal on c, performs a 
get on the buffer b (by accp(&)), and then sends a signal on p. The third process creates a 
new buffer on which put and get should be applied only alternately, creates two channels x 
and y used for synchronization, and runs infinitely many producers and consumers. 

Remark 2.11. We treat resources as primitives in this paper, but we could alternatively 
express a resource as a tuple of channels, each of which corresponds to each access opera- 
tion. For example, the resource in Example 12.81 can be expressed as a tuple consisting of 

-'^This is an example taken from an ealier version of !20' and modified. 
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three channels init, read, and close. If we did so, we could directly reuse the previous type 
systems |1U1 |H] to infer some of the properties discussed in this paper (with different preci- 
sion). Treating resources as primitives, however, simplifies the type systems introduced in 
later sections and clarifies the essence: if we expressed a resource as a tuple of channels, we 
would need primitives for simultaneous creation of multiple channels as in |lUj , and need to 
care about whether communications on the resource access channels succeed or not. On the 
other hand, our resource access primitives are non-blocking, which simplifies in particular 
the extended type system discussed in Section |21 

3. Type System 

This section introduces a type system that prevents invalid access to resources. The type 
system in this section does not guarantee a liveness property that all the necessary accesses 
are eventually made; extensions to guarantee that property are discussed in Section |SJ 

3.1. Types. We first introduce the syntax of types. We use two categories of types: value 
types and behavioral types. The latter describes how a process accesses resources and 
communicates through channels. As mentioned in Section ^ we use CCS processes for 
behavioral types. 

Definition 3.1 (types). The sets of value types a and behavioral types A are defined by: 

a ::= bool | res | chan((xi : cii, . . . , : C7n)^) 

A ::= [ a I a. A j x^.A \ t.A \ {Ai \ A2) \ Ai ® A2 \ *A 

I {yi/xi, . . . , yn/xn)A I (i/x) A \ ^a.A \ A]s \ ^is 
a (communication labels) ::= x \x 

A behavioral type A, which is a CCS process, describes what kind of communication 
and resource access a process may perform. describes a process that performs no com- 
munication or resource access. The types x.A, x.A, x^.A and t.A describe processes that 
first perform an action and then behave according to A; the actions are, respectively, an 
input on x, an output on x, an access operation ^ on x, and the invisible action. Ai \ A2 
describes a process that performs communications and resource access according to Ai and 
A2, possibly in parallel. Ai®A2 describes a process that behaves according to either Ai or 
A2. *A describes a process that behaves like A an arbitrary number of times, possibly in 
parallel, {yi/xi, . . . ,yn/xn)A, abbreviated to {y/x)A, denotes simultaneous renaming of x 
with y in A. (i/x) A describes a process that behaves like A for some hidden channel x. For 
example, (z/x) {x.y \x) describes a process that performs an output on y after the invisible 
action on x. The type ^a.A describes a process that behaves like a recursive process de- 
fined by a = A? The type A]g describes a process that behaves like A, except that actions 
whose targets are in S are replaced by the invisible action r, while A\,g describes a process 
that behaves like A, except that actions whose targets are not in S are replaced by r. The 
formal semantics of behavioral types is defined later using labeled transition semantics. 

As for value types, bool is the type of booleans. res is the type of resources. The 
type chan((xi : cii, . . . , x„ : an) A), abbreviated to chan((x : a) A), describes channels carry- 
ing tuples consisting of values of types ui, . . . ,(Tn. Here the type A approximates how a 

^The replication *A and ^,a.{A \ a) have the same semantics in this section, but they are diflerentiated 
in Section |S] by the predicate disabled. 
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receiver on the channel may use the elements xi,. . . ,Xn of each tuple for communications 
and resource access. For example, chan((a; : res, y : res)x'^.y'~') describes channels carrying 
a pair of resources, where a party who receives the actual pair (x', y') will first read x' and 
then close y'. We sometimes omit a and write chan((x)A) for chan((5; : a)^). When x is 
empty, we also write chan(). 

Note that {y/x) is treated as a constructor rather than an operator for performing the 
actual substitution. We write [y/x] for the latter throughout this paper, {y/x) A is slightly 
different from the relabeling of the standard CCS 19 : {y/x){x \ y) allows the communication 
on y, but the relabeling of CCS does not. This difference calls for the introduction of a 
special transition label {x,y} in Section [3.21 

Definition 3.2. The set of free variables of A, written FV(A), is defined by: 



FV(0) 


= 


FV(a) 


= 


¥\{x.A) 


= {x} U FV(yl) 


FV(x. A) 


= {x}UFV(A) 


FV(x«.A) 


= {x}UFV(.4) 


Y\{t.A) 


= FV(^) 


FV(^i 1 A2) 


= FV(.4i) UFV(yl2) 


¥\{Ai e A2) 


= FV(yli) UFV(A2) 


FV(*A) 


= FV(^) 


Y\{{y/x)A) 


= (FV(^)\{£}) U M 


YY{{vx)A) 


= FV(^)\{x} 


¥\{^a.A) 


= FV(yl) 


¥\{A]s) 


= FV(4\5 


FV(^i5) 


= FV(yl)n5 



As defined above, [ux) A, (y/x) A, and A]g bind x, x, and the variables in S respectively. 
We identify behavioral types up to renaming of bound variables. In the rest of this paper, 
we require that every channel type chan((xi : cJi, . . . , x„ : cr„)^) must satisfy F\'(A) C 
{xi, . . . , Xn}- For example, chan((a;:res)x^) is a valid type but chan((x:res)y^) is not.^ 



3.2. Semantics of behavioral types. We give a labeled transition relation — > for behav- 
ioral types. The transition labels / (distinct from the reduction labels L of Definition 12. 4() 
are 

I ::= x I X I I r I {x,y} 
The label {x,y} indicates the potential to react in the presence of a substitution that 
identifies x and y. We also extend target to the function on transition labels by: 

target{x) = target{x) = {x} target{{x,y}) = {x,y} 

The transition relation — ^ on behavioral types is the least relation closed under the rules 
in Figure El We write =^ for the reflexive and transitive closure of We also write =4> 



This constraint can be removed if we assume that the free variables in codom{T) never clash with the 
bound variables of P in the judgment form FoP : A given later. In particular, we need an implicit assumption 
{y}nFV(r)=0 in Figuregl (T-In). 
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a.A^A x^.A^A t.A^A 


(Tr-Act) 


AM2^A'^\A2 AM2^AM'2 


(Tr-Par1) 


At^A' A^^A'r. At^A'-, A-^^A'^ 
A, \A2 A[\A', A, \A2 A'M'2 


(Tr-Par2) 


A — > A 
A^ A' 


(Tr-Com) 


Ai®A2^A[ ^^©^2 -^^2 


(Tr-Or) 


A\*A-^ A' 
*A A' 


(Tr-Rep) 


[^la.A/a]A A' 
^la.A A' 


(Tr-Rec) 


A — U A' 

{y/^)A {y/x)A' 


(Tr-Rename) 


A A' target(l)r\{x} = 
{ux) A [vx) A' 


(Tr-Hiding) 


A^A' target{l)<ZS A^A' target{l)f\S^^ 
A]s^A']s A^s^A'^s 


(Tr-Exclude) 


A^A' target{l)CS A^A' target{l)nS^9 
Ais^A'is Als^A'is 


(Tr-Project) 


Figure 3: Transition semantics of behavioral types 



Remark 3.3. (i^x) A should not be confused with Ajj^j.. (ux) A is the hiding operator 
of CCS, while ^T{a;} J^^t replaces any actions on x with r ^U]. For example, (vx) (x.y^) 

cannot make any transition, but {x.y^)]^^y -^^-^ OT{x}- 

The set traces2;(A) defined below is the set of possible access sequences on x described 
by A 

Definition 3.4 (traces). 

traces,. (A) = {^i . . . I ^ ■ ■ ■ ^ A'} 

Note that tracesa;(yl) is prefix-closed (hence a trace set) by definition. 
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We define the subtyping relation Ai < A2 below. Intuitively, Ai < A2 means that 
a process behaving according to Ai can also be viewed as a process behaving according to 
A2- To put in another way, Ai < A2 means that A2 simulates j4i.We define < for only 
closed types, i.e., those not containing free type variables. 

Definition 3.5 (subtyping). The subtyping relation < on closed behavioral types is the 

largest relation such that Ai < A2 and Ai — ^ A[ implies A2 =4> A2 and A'^ < A2 for 
some A2. 

We often write Ai > A2 for A2<Ai, and write Ai ^ A2 for Ai<A2 A A2<Ai. 

Remark 3.6. Note that the subtyping relation defined here is the converse of the one used 
in Igarashi and Kobayashi's generic type system 10 . This is due to two different, dual 
views on behavioral types. Here, we think of behavioral types as describing the behavior 
of processes. On the other hand, Igarashi and Kobayashi |10j think of behavioral types as 
describing the assumption on the environment about what kind of process is accepted by 
the environment. Because of this difference, they write behavioral types on the lefthand 
side of i>, and write A1&1A2 for non-deterministic choice instead of Ai © ^2- 

Remark 3.7. Depending on what property the type system should guarantee, a finer 
subtyping relation may need to be chosen. For example, the above definition allows 
(x^.O) I {x^ .0) < x^.x^.O. We may want to disallow this relation if we want to infer a 
property like "no simultaneous writes on x can occur." 

The following properties are satisfied by < . For proofs, see Appendix 1X1 

Lemma 3.8. 

(1) < is a precongruence, i.e., < is closed under any behavioral type constructor. 

(2) If Ai < A2, then traceSx{Ai) C traceSx{A2) for any x. 

(3) Bi® B2 < A if and only if Bi < A and B2 < A . 

(4) If[B/a]A < B, then ^a.A < B. 

3.3. Typing. We consider two kinds of judgments, T > v : a for values, and T > P : A for 
processes. F is a mapping from a finite set of variables to value types. lnT> P : A, the type 
environment F describes the types of the variables, and A describes the possible behaviors 
of P. For example, x : chan((6 : bool)0) > P : x | x implies that P may send booleans along 
the channel x twice. The judgment y : chan((x : chan((6 : bool)0))x) \> Q :y means that Q 
may perform an input on y once, and then it may send a boolean on the received value. 
Note that in the judgment F > P : ^, the type A is an approximation of the behavior of P 
on free channels. P may do less than what is specified by A, but must not do more; for 
example, x : chan(( )0) c> x( ) : x | x holds but x : chan(( )0) > x( ). x( ) : x does not. Because 
of this invariant, if A does not perform any invalid access, neither does P. 

We write dom(T) for the domain of F. We write for the empty type environment, 
and write xi : ti , . . . , x„ : (where distinct from each other) for the type 

environment F such that domiV) = {xi, . . . ,x„} and F(xj) = for each i G {!,••• 
When X ^ dom(F), we write F,x:r for the type environment A such that dom{/S) = 
dom(T) U {x}, A(x) = r, and A(y) = T{y) for y € dom{T). We define the value judgment 
relation F > v.a to be the least relation closed under 

T,x:at>x:a Fotrueibool F > faIse:booI. 
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We write F l> v.a as an abbreviation for (F > vi:ai) A • • • A (F > Vn'-CTn)- 

Definition 3.9. The type judgment relation T\> P : A is the least relation closed under the 
rules given in Figure 0J 

We explain key rules below. 

In rule (T-Out), the first premise T > P : A2 implies that the continuation of the out- 
put process behaves like A2, and the second premise T > x : chan{{y ■.a)Ai) implies that 
the tuple of values v being sent may be used by an input process according to {v/y)Ai. 
Therefore, the whole behavior of the output process is described by x. {{v/y)Ai \ A2). Here, 
{vi/xi, . . .,Vn/xn)A stands for {vi^/xi^,. . . .Vi^/xi^^A where 

{fjj, . . . = {vi, . . . , u„}\{true, false}. For example, (true/x, y/z)^ stands for {y/z)A. 
Note that, as in previous behavioral type systems ^HSj, the resource access and commu- 
nications made on by the receiver of are counted as the behavior of the output process 
(see Remark [3.13(1 . 

In rule (T-In), the first premise implies that the continuation of the input process 
behaves like A2. Following previous behavioral type systems IH]. we split A2 into two 
parts: ^2i{^} and A2T{y}- The first part describes the behavior on the received values 
y and is taken into account in the channel type. The second part describes the resource 
access and communications performed on other values, and is taken into account in the 
behavioral type of the input process. The condition ^2i{y} < ^1 requires that the access 
and communication behavior on y conforms to Ai, the channel arguments' behavior. 

In (T-New), the premise implies that P behaves like A, so that (ux) P behaves like 
(I'x) A. Here, we only require that a; is a channel, unlike in the previous behavioral type 
systems for the vr-calculus ^lEl- That is because we are only interested in the resource ac- 
cess behavior; the communication behavior is used only for accurately inferring the resource 
access behavior. 

In (T-NewR), we check that the process's behavior A conforms to the resource usage 
specification 

Rule (T-Sub) allows the type A' of a process to be replaced by its approximation A. 
We remark that weakening of F can be derived (Appendix El Lemma IB.ll) and so is 
not needed rule. 

The following example shows how information about the usage of resources by an input 
process is propagated to an output process. 

Example 3.10. Let us consider (9'I*a;)P, where 

$ = {R*C)* 

P = {vy) {y{x,x) \y{zi,Z2).rea.d{zi).close{z2)). 

Let F = y :ch.a.n{{zi, Z2)z^.Z2),x :res. Then, the following judgment holds for the 
output and input processes. 

T >y{x,x) : y. x^.x^ 

F y(zi, Z2)- read(zi).close(z2) : y- 

Here, we have used subtyping relations {x / zi,x / Z2)zf .Z2 ~ x^ .x^ and .Z2'] s^z-i,z2} ~ ^■ 
By using (T-Par) and (T-New), we obtain 

x : res > P : (uy) {y. x^.x^ \ y) 
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r ; 


(T-Zero) 


r>P:A2 r>x:cha.n{{y:(7)Ai) r\>v:a 
r>x{^.P:x.{{v/y)Ai\A2) 


(T-Out) 


r,y:^>P:A2 T > a; : chan((y : A2i{g} < Ai 
T>xiy).P:x.{A2^^yy) 


(T-In) 


r > Pi : Ai r > P2 : ^2 
rt>Pi\P2:Ai\A2 


(T-Par) 


rt>P:A 
Tt>*P:*A 


(T-Rep) 


T\>v: bool rt>P:A T > Q : A 
Tt>ii V then P else Q : A 


(T-If) 


T,x:cha.n{{y:a)Ai) t> P : A2 

r> {vx)P: {vx) A2 


(T-New) 


T\> P:A r > a; : res 
r > acc^(a;).P : x^ .A 


(T-Acc) 


r, X : res t> P : A traces^; [A) C $ 
r>(gt*x)P:AT{,} 


(T-NewR) 


ri>P:A' A' < A 
Tt>P:A 


(T-Sub) 



Figure 4: Typing Rules 



Using (T-Sub) with {yy) {y. x .x \ y) ~ x .x we get 

X : res > P : x^.x'~^ 

Since traces^. (x^.x"^)) C {R*C)*, we obtain (DT*x)P:0 by using (T-NewR) and 
(T-Sub). □ 

Example 3.11. Recall Example 12.91 

P = {i^s){*s{n,x,r).Pi I (ai*x)P2) 

Pi = if n = then r() 

else (zvr') (s(n — 1, x, r') | r'(). read(x).r ()) 

P2 = (z^r) (init(x).s(lOO, X, r) I r(). close(x)) 

$ = {IR*C)* 

Let ^1 = /ia.(r © (z^r') ((r'/?')a|?''- aj'^.r) and 

let r = s:chan((n:int, x:res, r:chan()) y4i). Then 

r, mint, x:res, r:chan() \> Pi: Ai 

r>*s(n,x,r).Pi:*s. (y4iT{„_^._^}) ^ *s 

r > P2 : {ur) [x^ .Ai\r. x^) 
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So long as tracesa;((i/r) (a;''^.Ai|r. x*^)) C we obtain P : 0. See Section 14.31 for the 
algorithm that establishes traces^(-) C □ 

Remark 3.12. The type Ai in the example above demonstrates how recursion, hiding, and 
renaming are used together. In general, in order to type a recursive process of the form 
*s{x). {vy) (• • • • • • ), we need to find a type that satisfies {vy) (• • • {y/x)A ■ ■ ■) < A. 

Moreover, for the type inference (in Section we must find the least such A. Thanks to 
the type constructors for recursion, hiding, and renaming, we can always do that: A can be 
expressed by ^a.ivy) (■ ■ ■ {y/x)a ■ ■ ■ ) (recall Lemma 

Remark 3.13. A reader may wonder why the rules (T-Out) and (T-In) are asymmetric, 
in the sense that information about the continuation of a receiver process is transferred 
to a sender process but not vice versa. That design choice comes from the observation 
that a channel or resource exchanged between a sender and a receiver are, in general, 
statically known only to the sender, so that we have to put information about the behavior 
on the channel or resource into the type of the sender. For example, consider the process 
((i^y) {x{y) I • • • ) I x{z).^{ ). Since the receiver x{z).^{ ) is not in the scope of y, we have 
to put the information that y will be used for output into the type of the sender x{y) (as 
X. y) . It is still useful and possible to recover the symmetry in the treatment of senders and 
receivers to some extent: see Section 8 of our previous paper jTDl . 

The following theorem states that no well-typed process performs an invalid access to 
a resource. 

Theorem 3.14 (type soundness (safety)). Suppose that P is safe. IfT>P : A and P — >* Q, 
then Q is safe. 

Proof. We make use of the following lemma: 

• Subject-reduction. If P P' and ToP : ^ then A A' andT>P' : A' . Proof: 
see Appendix IbI 

For the proof of the theorem, we focus on just a single reduction step. By the Lemma we 
know that judgements are preserved by reduction; we must show that safety is also pre- 
served, by induction on the derivation of reduction. The only interesting case is (R-NewR1) , 
(9T*x)P ^ (or* ^ x)P', since the other rules do not alter trace-sets In this case, we are 

given r>P : A, traces2,(A) C <I>, and P ^ P'. By the Lemma, A A' for some r>P' : A'. 
Assume (9T*x)P is safe; hence so is P; by the induction hypothesis so is P'. From the 

conditions tracesa;(yl) C $ and A A', we get ^ € traces2:(A) C so that e G ^ 0. 
So, (aT*"*x)P' is safe. □ 

4. Type Inference Algorithm 

This section discusses an algorithm which takes a closed process P as an input and 
checks whether > P : holds. As in similar type systems 115j . the algorithm consists 
of the following steps. 

(1) Extract constraints on type variables based on the (syntax-directed version of) typ- 
ing rules. 

(2) Reduce constraints to trace inclusion constraints of the form 
{traces^j(^i) C . . . ,traces^„(A„) C 
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1 -oU- ZjtjixU ) 


i ■>sd " ■ ^2 L i\> Vi .ai (tor eacn z t ji, . . . , 7i|j 
To U r U (x : chan((y : a)Ai)) t>sd x{v). P : x. {{v/y)Ai \ A2) 


(T-SD-Out) 


V>,dP-A2 A2i{y} < wd{TUy:a) 
(r\{y}) U X : chan((y : >sd x{y). P : x. A2] {y^^ 


(T-SD-In) 


Ti Pi ■■ r2 \>sd P2 ■■ A2 
Ti U T2 t>sd Pi 1 P2 : 1 A2 


(T-SD-Par) 


T>sdP-A 

r >sd *P ■■ *^ 


(T-SD-Rep) 


Fn b 7) ■ hnol Vt t> J P ■ Ai Vn t> J ■ A'^ 

± Q . 1 ji.jt.ji ± 1 i^sa • ^1 ^ 2 ^sd ^; ■ ^2 




Ai < A A2 < A 
To U Ti U r2 t>sd if V then P else Q : A 


(T-SD-If) 


r>sdP-A2 wd(ru (a; : chan((x:f)Ai))) 
r\{a;}>sd {vx)P:{iyx) A2 


(T-SD-New) 


r>,dP:A 
r U (a; : res) t>sd acc^(x).P : x^.A 


(T-SD-Acc) 


r [>sd P : A traceS;^ {A) C ^ wd(r U (a; : res) ) 
r\M>.rf (01*a;)P:A'T{,} 


(T-SD-NewR) 



Figure 5: Syntax Directed Typing Rules 



(3) Decide whether the constraints are satisfied. 
The algorithm for Step 3 is sound but not complete. 

We give an overview of each step below. The first two steps are almost the same as 
those in the previous work. 

4.1. Step 1: Extracting Constraints. The typing rules presented in Section |31 can be 
transformed to the syntax-directed typing rules shown in Figure |SJ In the figure, Fi UF2 is 
the type environment obtained by merging both bindings, and defined only if Fi(x) = F2(x) 
for every x G (iom(Fi)ndom(F2). Type equality here is syntactic equality up to a-renaming. 
And wd{Ti U r2) means that Fi U F2 is well-defined. The two sets of typing rules are 
equivalent in the following sense: If F i> P : A is derivable, then there exists A' such that 
A' < A holds and F >sd P '■ A' is derivable. Conversely, if F \>sd -P : ^ is derivable, so is 
Ti>P:A. 

Based on the syntax-directed rules, we obtain the algorithm in Figure El which takes 
a process P and outputs a triple consisting of a type environment F, a behavioral type A, 
and a set C of constraints. In Figure El Fi (g) • • • (g) F„ is defined to be (F, C) where F and 
C are given by: 

c?om(F) = domiVi) U • • • U dom(F„) 

F(x) = Fj(x) where x G domiV i)\{dom{T i) U • • • U domiVi^i)) 
C = \Ti{x) = Tj{x) I X G dom{T,i) fl domiVj)} 

The triple (F, ^4, C) output by PT satisfies the following properties: 
• 6T\> P : OA holds for any substitution 9 such that j= 9C. 
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• If T' \> P : A' , then there exists a substitution 6 such that 6T C r' and 6 A < A'. 
Here, T and A may contain variables representing unknown behavioral types and value 
types. C is a set of constraints on them, and the substitution 9 above replaces them with 
closed behavioral types and value types. Intuitively, the triple (F, A, C expresses a set of 
type judgments for P. The first property above says that the triple contains only valid 
judgments, while the second property says that every valid judgment is subsumed by the 
triple. 

We do not give a formal proof of the above properties; As usual, they can be proved by 
induction on the structure of P. 

4.2. Step 2: Reducing Constraints. Given a closed process P, PT{P) produces a triple 
(0, A, C). The set C of constraints consists of unification constraints on value types (where 
all the behavioral types occurring in them are variables), constraints of the form isChan((T) 
(which means that cr is a channel type), subtype constraints on behavioral types of the form 
a > j4, and constraints of the form tTSiceSx{A) C We can remove the first two kinds of 
constraints (unification constraints on value types and isChan((T)) by applying the standard 
unification algorithm. Thus, we obtain the following constraints: 

{ai > Ai,...,an > An, 

tracesa;,(5i) C . . . ,tracesa;„(5m) C 

Here, we can assume that ai,...,an are different from each other, since a > Ai and 
a > A2 can be replaced with a > ^1 ^2 by Lemma 13.81 We can also assume that 
{ai, . . . , On} contains all the type variables in the constraint, since otherwise we can always 
add the tautology a > a. Each subtype constraint a > A can also be replaced by 
a > fia.A, by using Lemma 13.81 Therefore, the above constraints can be further reduced, 
by Lemma Em to: 

{traces^j([l75]Bi) ^^i,.. . ,traces^^{[A' /a]B^) C 

Here, A[, . . . , A'^ are the least solutions for the subtype constraints. 

Thus, we have reduced type checking to the validity of trace inclusion constraints of 
the form traceSxi-^) Q ^■ 

Example 4.1. Recall Example 12.91 By applying the algorithm PT and the first part of 
Step 2, we obtain the following constraints: 

tracesa; ((i/r) (x^.s. ai \ r. x*^)) C {IR*C)* 

ai > r. 02 © {lyr') (s. {r'/r)ai \ r'. x^.r. a2)i{n,x,r} 

02 > a2 

By applying the second part of Step 2, we obtain traceSa;(Ai) C [IR*C)'^ where 
Ai = (z/r) (x'^.s. ^2 I r. x*^) 

A2 = fxai.r. A3 ® {ur') {s. {r' /r)ai\r' .x^.r. As)i{n,x,r} 
As = /ua2-a2- 
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PTv{x) = [x: p, p) (where p fresh) 
PTv{b) (0, bool) if 6 e {true, false} 

PT{0) -(0,0,0) 
PT(x{^.Po) - 

let (r„a,) = PTv{v,) 
(ro,Ao,Co) = PT(Po) 

(r, C) = To ® (x : chan((2/ : a)a)) Ti (g) • ■ • (g) r„ 
in {T,x. ([v/y]a \ Aq), C) (where a fresh) 
PT{x{y).Po) = 

let {To,Ao,Co) = PTiPo) 

(ri,Ci) = To ® {x:chan{{y:p)a)) (y:p) 
in (r\2/,x.AoTj5},CoUCiU{a > ^oi{g}}) 

(where a, p fresh) 
PT{Po\Pi) = 

let (ro,Ao,Co) = PT(Po) 

(ri,Ai,Ci) = PT(Pi) 

(r2,C2) = ro®ri 

in (r2,Ao|Ai,CoUCiUC2) 
Pr(if V then Pq else Pi ) = 

let (ro,Ao,Co) = Pr(Po) 

(ri,^i,Ci) = PT(Pi) 

(r2,a) = PT?;(t;) 

(r,C2) -To^ri ®r2 

in (r, ^0 © ^1, C'o U Ci U C2 U {cr = bool}) 
PT{{iyx)Po) = 

let (ro,Ao,Co) = Pr(Po) 

Ci = if a; e doTO(ro)then {isChan(ro(a;))}else 

in (ro\{a;},(i'a;)Ao,CoUCi) 
PT(*Po) = 

let (To,Ao,Co) = PT{Po) 

in (ro,*Ao,Co) 
PT(acc5(2;).Po) = 

let {To,Ao,Co)^PT{Po) 
(ri,Ci) = To ® (x-.res) 

in (ri,a;«.^,CoUCi) 
PT((9T*a;)Po) = 

let {To,Ao,Co) = PT{Po) 
(ri,Ci) = To ® (x-.res) 

in (ri\{a;}, AoT{^}, Co U Ci U {traces^(Ao) C $}) 



Figure 6: A Type Inference Algorithm 



4.3. Step 3: Constraint Solving. We present an approximation algorithm for checking 
a trace inclusion constraint tracesx(^) C $ when the trace set <^ is a regular language. 
(Actually, we can extend the algorithm to deal with the case where $ is a deterministic 
Petri net language: see Remark 14.61 ) 

We first describe the algorithm with an example. In Example 14.11 above, we have 
reduced the typability of the process to the equivalent constraint tracesa;(^i) C ^ where 
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A" 



$ = {IR*C)* and 

{ur) {x^ .A'2 I r.x^) 

r®{vr') {{r' /r)A'2 \ r'.x^.r) 

Here, we have removed ^3 = /ia.a since A3 ~ 0. 

Step 3-1. Approximate the behavior of Ailj^j. by a Petri net [22] Nai,x- This part 
is similar to the translation of usage expressions into Petri nets in Kobayashi's previous 
work jl61ll5l[T^ . Since the behavioral types are more expressive (having recursion, hiding, 
and renaming), however, we need to approximate the behavior of a behavioral type unlike 
in the previous work. In this case j4iJ,|2.| is infinite. To make it tractable we make a sound 
approximation A'-^^ by pushing {v) to top level, and we eliminate (r'/r): 

A[ = {i^r,r') {x^ .A'2\ r.x'^) 

A2 = r © [A'^ I r'. x^.r) 



13 _ r' (A3 I r'.x^.r') 

Then -A^A'j,a; is ^-s pictured. (Here we treat Ai © A2 as t.Ai © T.A2 for clarity. We also use 
a version of Petri nets with labeled transitions.) 




c 



Be 


B7 


r .x^.r 




x^.r' 



The rectangles are the places of the net, and the dots labeled by t,x^, etc. are the 
transitions of the net. Write ix for the number of tokens at node B^- The behavior 
A[ corresponds to the initial marking {ii=l, iio=l}. We say that the nodes B together 
with the restricted names (r, r') constitute a basis for A[. Note here that trsLceSx{Ai) C 
traceSj^(A'^) = ptraces(A^^/ 3,) where ptraces(A^^/ j.) is the set of traces of the Petri net. 
Thus, ptraces(A^^'^ 2;) C $ is a sufficient condition for traces2^(74i) C <1> . The key point 
here is that A'^ still has infinite states, but all its reachable states can be expressed in the 
form {vr,r') {iiBi [ • • • | in-Bii) (where ikB^ is the parallel composition of copies of B^), 
a linear combination of finitely many processes B. That is why we could express A'^ by the 
Petri net as above. 
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Step 3-2. Construct a deterministic, minimized automaton M$ that accepts the lan- 
guage Here the initial marking is {ii2=l}- 

Bii 



I.R*.C 




Step 3-3. Construct another Petri net -A^a'^.x II from -/Va'^,^ M^, which sim- 
ulates the behavior of Pa and M$ simultaneously, so that the problem of traceSx{A'^){= 
ptraces(A^^' ^)) C $ is equivalent to a reachability problem of A'^^' ^ |[ M$. In the ex- 
ample, A^A'j,x II has the initial marking {ii=l, iio=l, ?i2=l} and transitions such as 

Bi\Bi2 -—^ i?2|-Bi3. ptraces(A^^/^ .J.) C <1> if and only if the following unsafe state is un- 
reachable. 

(ii>0 A ii2=0) V {i7>0 A ^3=0) V (i9>0 A ii3=0) V (ni>0 A ii3=0) 

To explain, if ii > A ii2=0 then the behavior is able to make an R transition but the 
specification automaton M$ is not able. 

Step 3-4. Use an approximation algorithm to decide the reachability problem of 
^A[,x II -^^<i>) ill ^ manner similar to Kobayashi's type-based analyzer TyPiCal \12\ for the 
vr-calculus. 

The above steps 3-1, 3-2, and 3-3 are described in more detail below. See Section El for 
Step 3-4. 



4.3.1. Step 3-1: Construction of Na,x- We first introduce the notion of a basis. The basis 
is analogous to that of a vector space; Each state is expressed as a linear combination of 
elements of the basis. 

Definition 4.2. A pair {{yi, ■ ■ ■ , Vm}, {Bi, . . . , Bn}) is a basis of A if all of the following 
conditions are satisfied: 

• Ax (uyi) ■ ■ ■ {vym) (n-Bi | • • • | inBn) for some ii, . . . , G Nat. 

• If Bj — ^ C, then there exist ii, . . . ,in G Nat such that C ~ iiBi | • • • | inBn- 

• For each Bj, there are only finitely many C (up to ~) such that Bj — ^ C. 

Note that if {{y}, {Bi, . . . ,Bn}) is a basis of A, then whenever A =^ A', there exist 
ii, . . . ,in such that A' fa (vy) {iiBi \ ■ ■ ■ \ inBn)- Let us write Index{C) for (ii, . . . , z„) such 
that C ~ I • • • inBn- (If there are more than one such tuple, Index{C) picks one among 
them.) Therefore, if ^ij^:} has a basis, the behavior of ^iji,} is simulated by the (labeled) 
Petri net iV^ ^ j.^-^ ^^.^ given below. Here, we use a process-like syntax to represent the 
elements of a Petri net rather than the standard tuple notation (P, T, F, W, Mq). A marking 
state m which has ik tokens for each place pk (k G {1, . . . , n}) is written iipi | • ■ ■ | inPn- A 
transition that consumes a marking mi and produces m2 is expressed by rui — > m2, where 
7 is the label of the transition. 

• The set P of places is {pbi, - ■ ■ ,PBn}- 
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• The initial marking mj is iipBi\ ■ ■ ■ \ inPB„ 
where ^ (uy) {hBi \ ■■■ \ inBn)- 

• The set of transitions consists of: 

- PBj kPB^ I • • • I inPBn 

where Index{C) = (ii, . . . , in)-, for each Bj C- 

- PBj ^ nPBi I • • • I InPB^ 

where Index{C) = (ii, . . . , in)-, for each Bj — > C- 

- PBj I PB^, {ii + i'i)PBi \ ■■■ \ {in+ i'JPB^ where Index{C) = {ii,...,in) and 

Index{C') = {i'l, - - - ,i'n), for each pair of transitions Bj —> C and Bj> C 
such that z G {y}. 

From now on we omit the basis and just write Na,x for N^^^ {B})' write 
ptraces(A^^_a;) for the set: 

where ==4> means — ^ ^ > ^ > . By the construction oINa.xi ptraces(A^A,2:) = tTaLceSx{A). 

The construction of Na,x outhned above can be apphed only when a basis of Al^ 
can be found (by some heuristic algorithm). If A[^ has no basis or cannot be found, 
we approximate Al^,. by moving all the z^-prefixes to the top-level; for example, y. (vx) A, 
*{i'x) A and ^a.{vx) A are replaced by {ux) (y. A), (i/x) *A, and (vx) fia-A respectively. Let 
A' be the approximation of ^jj^j.. It is easy to prove that A' is a sound approximation of 
AJ.|2,j, in the sense that traiceSx{A) C traLceSx{A') . 

We can compute a basis of A' as follows (see Appendix ^ for more details). Since 
z^-prefixes do not appear inside recursion, we can first eliminate the constructors -js; 'Is^ 
and {y/x). Let (z^y) A" be the resulting expression, where A" does not contain -js' {y/'^)^ 
(vx) . Let B be the set of behavioral types that are subexpressions of the behavioral types 
obtained from A" by expanding recursive types and do not contain "unnecessary" unfolding 
[lia.A/a]A. Then, B is a finite set, and {{y}, B) is a basis of A' . We can therefore construct 
a Petri net N^i^x- By the construction, ptraces(A^^/^2.) = tTSiceSx{A') ^ tracesa;(yl), so 
that ptraces(A^^/ .J,) C $ is a sufficient condition for traces^(A) C <I>. 

4.3.2. Steps 3-2 and 3-3: Construction of Na,x \\ and reduction of traceSx{A) to a 
reachability problem. Let P/v^ ^ and T^r^ ^ be the sets of places and transitions of Na,x 
respectively. Let M$ be a minimized deterministic automaton^ that accepts <I>, and let 
be its set of states and 5$ be its transition function. 

Definition 4.3. The composition of N^^^ and M$, written N^^x II is defined as follows: 

• The set of places is Pat^ ^ U Q$ 

• The set of transitions is: 

{{m\q)-^ {m'\q')J {m^m') G T^v^ ^ A S^{q,^) = q'} 
L){m — > m' I {m^m') E T^r^ ^} 

• Initial state is mj \ qj where mj is the initial state of Na,x and qj is the initial state 
ofM$. 



^Note that since $ is prefix-closed, all the states of the minimized automaton are accepting states. 
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Now, ptraces(A^A,x) ^ ^ can be reduced to the reachability problems of Na,x \\ 

Theorem 4.4. ptraces[N a,x) Q ^ if O'^d only if no marking m j q that satisfies the follow- 
ing conditions is reachable: 

• m — ^ m' for some m' and ^ in Na,x- 

• 5^{q-,Cj is undefined. 

Thus, we can reduce ptraces(A^yi^2,) C $ to a finite set of reachability problems of 
Na,x II Hence ptraces(A^A,x) ^ $ is decidable [TS] , 

Corollary 4.5. ptraces{NA.x) ^ ^ if o^nd only if for every transition rule of the form 

mi 771-2 of Na,x dnd q such that S^{q,£,) is undefined, no marking m such that m > mi \ q 
is reachable by Na,x \\ M^. 

Remark 4.6. We can actually extend the above algorithm for checking traces^,. (j4) C <I> to 
deal with the case where $ belongs to the class of deterministic Petri net languages (more 
precisely, the class of P-type languages of A- free, deterministic Petri nets [SSII^). If is 
the P-type language of a A-free, deterministic Petri net, then its complement $ is a Petri net 
language .21_. Therefore, we can construct a Petri net that accepts the intersection of the 
language of Na,x and $ [121)) so that ptraces(A^^^2;) C $ can be reduced to the emptiness 
problem of the Petri net, which is decidable due to the decidability of the reachability 
problem. 

Some of the useful resource usage specifications are not regular languages but are de- 
terministic Petri net language. For example, consider a stack-like resource on which, at any 
point of program execution, the number of times the operation pop has been performed is 
less than the number of times push has been performed. Such specification is expressible 
as a deterministic Petri net language. 

5. Extensions 

The type system given so far guarantees that no invalid resource access is performed, 
but not that any necessary access is performed eventually; for example, the type system 
does not guarantee that a file is eventually closed. We discuss extensions of the type system 
to guarantee such properties. 

We are interested in type systems that satisfy either partial liveness^ or the stronger 
liveness property: 

• partial liveness: If P — >* Q and Q -/-^, then Q does not contain any resource to 
which some access must be performed. 

• liveness: In any fair reduction sequence P — > Pi — > P2 — > ' ' P eventually 
performs all the necessary resource access. (Here, a reduction sequence is fair if an 
input or output action that is infinitely enabled will eventually succeed. Without 
the fairness assumption, no process can satisfy the liveness property in the presence 
of a divergent process {I'x) (x{ ) \ *x{ )-x{ ), which is too restrictive.) 

^This is not a standard term; actually, the partial liveness here can be viewed as the safety property that 
no 'bad' state is reachable such that the necessary accesses have not yet been performed but the system 
cannot make any move. 
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Our idea is to take the resource type system from the previous sections, and combine it 
with some existing system that annotates those communications that eventually succeed. 
Specifically, this existing system might be (1) deadlock-freedom jl6l I15j . which guarantees 
that the annotated communications eventually succeed unless the process diverges; the 
combination would then guarantee partial liveness. Or the existing system could be (2) lock- 
freedom ^1 , which guarantees that the annotated communications eventually succeed 
even in the presence of divergence (assuming a strongly fair scheduler); the combination 
would then guarantee full liveness. 

To formally state which resource access must be performed, we extend the trace sets. 

Definition 5.1. An extended trace set is a set of sequences of access labels, possibly ending 
with a special label |, that is closed under the prefix operation. 

Intuitively, the special label | means that no further resource access need to be per- 
formed. For example, the trace set ({C |, i?C J,})* means that the close operation needs 
to be performed, while {{i,R[,C i,RC i})* means that the close operation need not be 
performed. 

Now we can state the partial liveness property more formally. We write for a 

(possibly empty) sequence of u- and DT-binders. 

Definition 5.2. A process P is partially live if | G <^ whenever P — (?9T)(9T*x)(5 

5.1. A Type System for tlie Partial Liveness Property. We extend the syntax of 
processes to allow each input and output prefix to be annotated with information about 
whether the communication is guaranteed to succeed. 

Definition 5.3 ((extended) processes). The set of (extended) processes is given by: 
t (attributes) ::= c | 

P ::= xt{yi,...,yn)-P \xt{yi,...,yn)-P \ ■■■ 

The attribute c indicates that when the annotated input or output operation appears 
at the top-level, the operation will succeed unless the whole process diverges, while does 
not give such a guarantee. We often omit tag 0. 

We assume that there exists a type system guaranteeing that any well-typed process 
is well- annotated in the sense of Definition 15.41 below. There are indeed such type sys- 
tems |131 1161 [TB] . Moreover, the static analysis tool TyPiCal |12| can automatically infer 
the annotations. 

Definition 5.4. P is active, written active{P), if 

P ^ {'i^^){xc{v). Q\R) or P ^ {u^){xc{y)- Q\R). Additionally, P is well- annotated, writ- 
ten well_annotated{P), if for any P' such that P — >* P' and active{P'), there exists P" 
such that P' — > P". 

For example, Xc(). | Xc( ). y0(). is well-annotated, but 
Xc( ). I Xc( ). yc( )• is not. Note that X0{).Xc{)-O is well-annotated since, although the 
output never succeeds, it does not appear at the top-level. 

Now we introduce the type system that guarantees the partial liveness. We extend the 
behavioral types by extending each input, output, or r-action with an attribute to indicate 
whether the action is guaranteed to succeed. 

A ::= xt.A \ xt.A\ n.A \ ■■■ 
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Figure 7: The definition of disabled{A, S) 



For example, a process having type Xc - X0. imphes that the process may send values on x 
twice, and that the first send is guaranteed to succeed (i.e., the sent value will be received 
by some process), while there is no such guarantee for the second send. 

The transition semantics of behavioral types is unchanged; The attribute t is just 
ignored. 

We revise the definitions of the subtype relation and the traces by using the following 
predicate disabled{A, S) . Intuitively, this means that A describes a process that may get 
blocked without accessing any resources in S. 

Definition 5.5. disabled{A, S) is the least binary relation between extended behavioral 
types and sets of variables closed under the rules in Figure [Tj 

Definition 5.6. The set etraceSa;(A) of extended traces is: 

{6 • • • Cn i ^...^BA disabled{B, {x})} 

ute---en|3i3.^i{,}^---^i?} 

Here, ^ij^;} =^ • • • ==^ B A disabled{B , {x}) means that ^„ may be the last access to x, 
so that J, is attached to the sequence • • -^n. By definition, etraces-j;(yl) is prefix-closed. 

Definition 5.7. Ai < A2 is the largest relation on closed behavioral types that satisfies 
the following properties: 

• If Ai — ^ A[ then there exists A'2 such that A2 ==^ A2 and A[ < A2. 

• disabled{Ai, S) implies disabled{A2, S) for any set S of variables. 

Note that by the definition, Ai < A2 implies etraces2.(Ai) C etraceSa,(A2). 

The typing rules are the same as those in Section EJ except for the rules shown in 
Figure |SJ The only changes are that attributes have been attached to (ET-Out) and 
(ET-In), and that tracesa;(j4||^}) has been replaced by etracesa;(^|{^.|) in (ET-NewR). 
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r>piP:A2 r>pix:chan{{y:a)Ai) 
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r>pi xt{y).P:xt. {A2]{y]) 


T,x : res t>pi P : A etraces^; {A) C ^ 
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Figure 8: Typing Rules for Partial Liveness 



An important invariant maintained by the typing rules is that the type of an input/output 
process is annotated with c only if the process itself is annotated with c. For example, we 
cannot derive x : chan() 0^; ) -Xc- 

The following theorem states the soundness of the extended type system. 

Theorem 5.8. If weU_annotated{P) and %\>pi P : A, then P is partially live. 

Proof. We make use of three lemmas. The first two show that typing and well-annotatedness 
are preserved by reduction. The third means that the type of a process properly captures 
the possibility of the process being blocked. 

• Subject reduction. If F i>p; P : yl and P — ^ Q, then there exists some B such 

that T f>pi Q : B and A B. Proof: See Appendix IbI 

• Well-annotatedness. If well_annotated{P) and P — Q, 
then well -annotated (Q). Proof: trivial by definition of 

well -annotated (P) . 

• Disabled. If well -annotated (P) and T>pi P : A with bool codom(T), then P —f-^ 
implies disabled{A, S) for any S. Proof: See Appendix O 

Now we are ready to prove the theorem. Suppose that P — >* {ly^){^^x)Q —/-^ and 
well -annotated (P), $ >pi P : A. We have to show J, € ^I'. By subject-reduction we ob- 
tain >pi (t'^)(9T*x)(5 : A' for some A'. By the inversion of the typing rules, we get 
y : res, z : a, X : res i>p/ Q .B and traces2,(i?) C ^ for some sequence a of channel types. 
(Here, y and z are the variables bound by 91.) By well-annotatedness we also have 
well-annotated[(u^){^^ x)Q), which implies well -annotated {Q). Thus, by Disabled^ we get 
disabled{B , S) for any S, which implies disabled{Bl^^y, {x}). So, we have J, G etraces2^^(i?) C 
<I> as required. □ 

Example 5.9. An annotated version of Example 13.111 

P = {us){*Sc{n,x,r).Pi\{m'^x)P2) 
Pi = if n = then rd) 

else {i^r') (sc(n — 1, x, r'). [ r'c(). read(x).rc()) 
P2 = (z^r) (init(x).Sc(lOO, X, r) I rc(). close(x)) 

$ = {IR*C [)* 
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is well-annotated. Suppose 

Ai = iia.ijc © {yr') {{r' /r)a\r' c-x^-rc) 
r = s:chan((6:int, x:res, r:chan()) yli). 

Then 

r > Pi : Ai 

r > *Sc{n, X, r). Pi : *Sc- {M]{n,x,r}) ~ *'Sc 

r P2 : (i^r) {x^ .Ai\rc. x^). 
So long as etraces^((zvr) {x^ .Ai \ r^- x*-^ .)) C we obtain > P : 0. □ 

5.2. Type Inference. The type inference algorithm for the extended type system is almost 
the same as the algorithm for the basic type system discussed in Section|2 The only changes 
are: 

• In the constraint generaltion algorithm PT, attribute annotations for input and 
ouptut processes are propagated to types. For example, the case for output processes 
becomes: 

PT{x\v).Po) = 

let {Ti,ai) = PTvivi) 
(ro,^o,Co) = PT(Po) 

(F, C) = Fo (x : chan((y : a)a)) Fi O • • • » F„ 
in (T,xt. {[v/y\a \ Aq), C) (where a fresh) 

• The constraint traceSi.(A) C $ is replaced by etrsiCGSx{A) C 

The second change forces us to adjust the reduction of the constraint to the reach- 
ability problem of Petri nets (recall step 3 of the algorithm in Section First, we 
need to use eptraces(A^yi,a:) defined below, which corresponds to etraces^(A), instead 
of ptraces(A^yi_^) in the reduction. 

Definition 5.10. eptraces(A^A,x) is the set 

{?i ■ ■ ■ Cfc I =^ ■ ■ ■ ==^ "^'} U {^1 ' " [\ TTT'i ==^ • • • ==^ "i' A pdisabled{m' , {x})} 

where m/ is the initial marking of Na_,x- pdisabled{m, S) means that disabled{A, S) holds 
for the behavioral type A expressed by m. 

Second, the construction of an automaton needs to be adjusted so that it accepts 
extended traces. For example, the automaton used in the explanation of Step 3-2 in Section^ 
is replaced by the one that accepts IR*C |. 

With these changes, the validity of a constraint etraces2;(y4) C $ is reduced to the 
reachability problem of a Petri net Na_,x \\ where composition of a Petri net Na,x and 
an automaton M<j, is defined in the same manner as Definition 14.31 

Theorem 5.11. eptraces{NA,x) ^ ^ if o.nd only if no marking m\q that satisfies the 
following conditions is reachable: 

• pdisabled{m,{x}). 

• ^^{qA) is undefined. 
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6. Implementation 

We have implemented a prototype resource usage analyzer based on the extended type 
system described in Section 13 We have tested all the examples given in the present paper. 
The implementation can be tested at http : //www. yl . is . s .u-tokyo . ac . jp/~kohei/usage-pi/ 

The analyzer takes a pi-calculus program as an input, and uses TyPiCalfT^ to annotate 
each input or output action with an attribute on whether the action is guaranteed to succeed 
automatically (recall the syntax of extended processes in Section[Sl)- The annotated program 
is then analyzed based on the algorithm described in Section 0] 

The followings are some design decisions we made in the current implementation. We 
restrict the resource usage specification ($) to the regular languages, although in future we 
may extend it based on Remark l4.61 In Step 3-1 of the algorithm for checking etraces-j;(^) C 
<I>, we blindly approximate A by pushing all of its i^-prefixes to the top-level. In future we 
might utilize an existing model checker to handle the case where A is already finite. In Step 
3-4 for solving the reachability problems of Petri nets, we approximate the number of tokens 
in each place by an element of the finite set {0,1,2, "3 or more"}. That approximation 
reduces Petri nets to finite state machines, so we can use BDD to compute an approximation 
of the reachable states. 

Figureinishows a part of a successful run of the analyzer. The first process (on the second 
line) of the input program runs a server, which returns a new, initialized resource. We write 
! and ? for output and input actions. The resource access specification is here expressed 
by the number 1 of newR 1 , x, which refers to the built-in specification {I{R + W)*C J.)'^. 
The second process runs infinitely many client processes, each of which sends a request for 
a new resource, and after receiving it, reads and closes it. The third process (on the 6th 
line) is a tail-recursive version of the replicated service in Example 12.91 Here, a boolean is 
passed as the first argument of s instead of an integer, as the current system is not adapted 
to handle integers; it does not affect the analysis, since the system ignores the value and 
simply inspects both branches of the conditional. Note that the program creates infinitely 
many resources and has infinitely many states. The first output is the annotated version 
of the input program produced by TyPiCal, where ! ! and ?? are an output and an input 
with the attribute c (recall Section [S])- 

The remaining part shows the trace inclusion constraint and the constructed Petri net. 
The final line reports that the verification has succeeded, which implies that both the safety 
property (in Section and the partial liveness property (in Section [Sj) are satisfied. 

7. Related Work 

Resource usage analysis and similar analyses have recently been studied extensively, 
and a variety of methods from type systems to model checking have been proposed El 
IIH \17\ I24j . However, only a few of them deal with concurrent languages. To our 
knowledge, none of them deal with the partial liveness property (or the total liveness prop- 
erty) that we discussed in Section El Nguyen and Rathke j2ilj propose an effect-type system 
for a kind of resource usage analysis for functional languages extended with threads and 
monitors. In their language, neither resources nor monitors can be created dynamically. On 
the other hand, our target language is vr-calculus, so that our type system can be applied 
to programs that may create infinitely many resources (due to the existence of primitives 
for dynamic creation of resources: recall the example in Figure IHI), and also to programs 
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Input: 

new create, s in 

* (create? (r) .newR l,x in acc(x,init) .r ! (x)) 
I *(new r in create !(r) 

I r?(y).new c in s ! (false ,y, c) I s ! (false ,y, c) 
I c?() .c?() .acc(y, close)) 
I *(s?(b,x,r) .if b then r!() 

else acc (x ,read) . s ! (b,x,r) ) 

Output: 

The result of lock-freedom analysis ***) 
new create, s in 

*create?? (r) . newR l,x in acc(x, I). r!!(x) 
I *(new r in create !!(r) 

I r??(y).new c in s !! (false ,y, c) I s !! (false ,y, c) 
I c?? . c?? . acc (y, close) ) 

(*** Constraints ***) 
etrace(x,acc(x, init).(c! 

c??. c??. acc(x, 

initial marking ***) 
1 * 11 I 1*7 

14 Places ***) 
0: c! ! . 

9 Transitions ***) 
(x, close): 1*12 I 1*10 -> -1*12 | 1*13 I -1*10 I 1*1 

No error found 

Figure 9: A Sample Run of the Analyzer. 

that use a wide range of communication and synchronization primitives. Capability-based 
type systems can deal with concurrency to a certain degree ([S], Section 4.2), by associating 
each resource with a unique capability to access the resource. The type system can control 
the resource access order, by ensuring the uniqueness of the capability and keeping track 
of what access is currently allowed by each capability. In this approach, however, resource 
accesses are completely serialized and programmers have to care about appropriately pass- 
ing capabilities between threads. Capability-based type systems El also require rather 
complex type annotations. Igarashi and Kobayashi's type system for resource usage anal- 
ysis for A-calculus can be extended to deal with threads, by introducing the following 
typing rule: 

Ti Ml : n r2 M2 : T2 



! & acc(x, read). $16 I $16 I 
close). 0)) is included in 1 



Fi (g) r2 > spawn{Mi); M2 
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Here, Fi (g) r2 describes resources that are used according to Fi and r2 that are used in 
an interleaving manner. However, it is not obvious how to accurately capture information 
about possible synchronizations between Mi and M2. 

Model checking technologies ^ can of course be applicable to concurrent languages, but 
they suffer from the state explosion problem, especially for expressive concurrent languages 
like vr-calculus, where resources and communication channels can be dynamically created 
and passed around. Appropriate abstraction must be devised for effectively performing 
the resource usage analysis for the vr-calculus with model checking. Actually, our type- 
based analysis can be considered a kind of abstract model checking. The behavioral types 
extracted by (the first two steps of) the type inference algorithm are abstract concurrent 
programs, each of which captures the access behavior on each resource. Then, conformance 
of the abstract program with respect to the resource usage specification is checked as a model 
checking problem. It would be interesting to study a relationship between the abstraction 
through our behavioral type and the abstraction techniques for concurrent programs used 
in the model checking community. From that perspective, an advantage of our approach is 
that our type, which describes a resource-wise behavior, has much smaller state space than 
the whole program. In particular, if infinitely many resources are dynamically created, the 
whole program has infinite states, but it is often the case that our behavioral types are still 
finite (indeed so for the example in Figure inj . The limitation of our current analysis is that 
programs can be abstracted in only one way; on the other hand, the usual abstract model 
checking techniques refine abstraction step by step until the verification succeeds. 

Technically, closest to our type system are that of Igarashi and Kobayashi and that 
of Chaki, Rajamani, and Rehof [31. Those type systems are developed for checking the 
communication behavior of a process, but by viewing a set of channels as a resource, it is 
possible to use those type systems directly for the resource usage analysis. We summarize 
below similarities and differences between those type systems ^1 EJ and the type system 
in the present paper. 

(1) Whether types are supplied by the programmer or inferred automatically: Types are 
inferred automatically in Igarashi and Kobayashi's generic type .10^ and the type system of 
the present paper, but the type of each channel must be annotated with in Chaki et al.'s 
type system. The annotated type contains information about how the values (channels, in 
particular) sent along the channel are used by senders and receivers, and that information 
is used to make the type checking process compositional. For the purpose of the resource 
usage analysis discussed here, we think that it is a burden for programmers to declare how 
channels are going to be used, since their primary concern is how resources are accessed, 
not channels. Ideal would be to allow the user to specify some types and infer the others, 
like in ML. For that purpose, we need to develop an algorithm to check the conformance 
A < B oi an inferred type A to a declared type B. That seems generally harder to decide 
than the trace inclusion constraint traces2,(^) C but we expect to be able to develop a 
sound algorithm by properly restricting the language of declared types. 

(2) The languages used as behavioral types: All the three type systems use a fragment 
of CCS as the language of types to check cross-channel dependency of communications. The 
types in Igarashi and Kobayashi's generic type system for the vr-calculus however, lacks 
hiding, so that their type system cannot be applied to obtain precise information about 
resource usage. In fact, their analysis would fail even for the program in Example 12.81 
Chaki et al.'s type system does use hiding, but lacks renaming as a constructor. Without 
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the renaming constructor, the most general type does not necessarily exist, which hinders 
automatic type inference (recall Remark I3.12() . 

(3) Algorithms for checking the conformance of inferred types with respect to specifi- 
cations: In Igarashi and Kobayashi's generic type system, how to check conformance of 
inferred types with respect to the user-supplied specifications was left open, and only sug- 
gested that it could be solved as a model checking problem. In Chaki et al.'s type system jH], 
the conformance is expressed as ^ |= F (for checking the global behavior, where F is an 
LTL-formula) and A < A' (for checking the conformance of declared types with respect to 
inferred types). In their type checker PIPER [^j, those conditions are verified using SPIN, 
so that A is restricted to a finite-state process. Corresponding to the conformance check of 
the above work is the check of trace inclusion constraints traces^ (A) C Our algorithm 
based on the reduction to Petri nets works even when A has infinite states. 

(4) The guaranteed properties: Both Igarashi and Kobayashi's generic type JHI and the 
extended type system of the present paper can guarantee a certain lock-freedom property, 
that necessary communications or resource accesses are eventually performed (unless the 
whole process diverges), while Chaki et al.'s type system and the type system in SectionOlof 
the present paper do not. The guaranteed properties depend on the choice of the language 
of behavioral types and the subtyping relation. In the latter type systems, the ordinary 
simulation relation is used, so that a process's type describes only an upper-bound of the 
possible behavior of the process, not a lower-bound of the behavior like a certain resource 
access is eventually performed. Rajamani et al. 0123] recently introduced a more elaborate 
notion of simulation relation called "stuck-free conformance." Even with the stuck-free 
conformance relation, however, their type system [2] still cannot guarantee the lack of 
deadlock-freedom of a process. On the other hand, by relying on an external analysis to 
check deadlock-freedom, the extension in Section El keeps the typing rules and the subtyping 
relation simple, while achieving the guarantee that necessary resource accesses are eventually 
performed unless the whole process diverges. 

Kobayashi's type systems for deadlock- freedom and livelock-freedom |16 |ll4l [T5j and its 
implementation form the basis of the extended type systems for partial and total liveness 
properties discussed in Section and are used for producing well-annotated programs. 
Conversely, the behavioral types introduced in this paper can be used to refine the type 
systems for deadlock-freedom and livelock-freedom. Yoshida and Honda have also studied 
type systems that can guarantee certain lock-freedom properties ^5^^,26^. So, their type 
systems can also be used for checking whether programs are well-annotated in the sense of 
Section |S1 

In Section |S1 we have utilized the existing analysis for deadlock-freedom to enhance the 
result of the resource usage analysis. Other type systems for concurrent languages may also 
be useful. For example, the type system for atomicity 4_ can be used to infer the atomicity 
of a sequence of actions in a source program. By using the atomicity information, we may 
be able to reduce the state space of behavioral types and check the trace inclusion relation 
etraces2:(^) C $ more efficiently. 

8. Conclusion 

We have formalized a type system for resource usage analysis and proved its soundness. 
We have also developed a sound (but incomplete because of the last phase for deciding 
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the trace inclusion relation tracesx(^) ^ algorithm for it in order to liberate program- 
mers from the burden of writing complex type annotations. We have also implemented a 
prototype resource usage analyzer based on the algorithm. 

There remains much future work. It is necessary to assess the effectiveness of our 
analysis, including the design of the type system and the algorithm for deciding the trace 
inclusion relation tracesa;(yl) C <I), in more detail, and refine the analysis if necessary. It is 
also necessary to make the analyzer more user-friendly, by devising a method for generating 
comprehensive explanation of the verification result; currently, the analyzer gives only a 
yes/no answer. Extensions of the type system to deal with other typical synchronization 
primitives like join-patterns and internal choice is also left for future work. 
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Appendix 

Appendix A. Properties of the Subtyping Relation 

This section states and proves the properties of the subtyping relation, which are used 
in the proof of type soundness (Theorems 13.141 and 15.81 in particular the proofs of the 
lemmas in Appendices El c^nd [HI, and in the type inference algorithm described in Section 
(in particular, for transforming constraints on behavioral types). 

Actually, there are two subtyping relations; the basic one in Definition 13.51 and the 
extended one in Definition 15.71 Since the proofs are almost the same, we state and prove 
the properties of the basic and extended ones simultaneously. In a few places, we have 
an additional condition to check for the extended case. Such places will be marked by 
"Extended case only." When we are discussing the basic case, attributes attached to 
actions should be ignored. We also omit them even for the extended case when they are 
not important. 

Lemma A.l (Simulation relation). 

(1) The subtyping relation is reflexive and transitive. 

(2) (Simulation-up-to) LetlZ he a relation on behavioral types such that whenever AiTZA2 
then 

(i) Ai — > A'^ implies A2 =^ A2 and A'^TZ < A2 for some A'2 and 

(ii) disabled{Ai, S) implies disabled{A2, S). 

Then TZ^ < . Condition (ii) is required only for the extended case. 

Proof. Part in is trivial by the definition. To show Part l2l suppose 7^ is a simulation up to. 

We show that TZ' = (IZ < ) U7^ is a simulation, i.e., whenever AiJZ' A2, (i) A\ — ^ A'^ implies 

A2 A'2 and A'{R'A'2 for some A'2 and (Extended case only) (ii) disabled{Ai, S) implies 
disabled{A2, S). Suppose AiIZ' A2. The case where AiTZA2 is trivial by the definition of the 
simulation-up-to. To check the other case, suppose AiTZA^ < A2. To show (i), suppose 

also that Ai — ^ A'^. Since 7^ is a simulation up to, there exists A'^ such that ^3 =^ ^3 and 

A'-^ TZ< A'^. By As =^ A'^ and A3 < A2, we have A'2 such that A2 =^ A'2 and A3 < A'2. 
Since < is transitive, we have A'^ TZ< A'2, which implies A'iTZ'A'2. 

Extended case only: To show (ii), suppose disabled{Ai, S). Since 7^ is a simulation up 
to, we have disabled{As, S), which implies disabled{A2, S). □ 



Lemma A. 2 (Structural congruence). 

(1) A\O^A 

(2) A\B ^ B\A 

(3) A\{B\C) ^ {A\B)\C 

(4) AQ)B ^ BeA 

(5) A®{B®C) ^ iA®B)®C 

(6) *A^A\*A 

(7) {ux){A\B) ^ {vx)A \Bifx^ FV(B) 

(8) {vx){A®B) « {vx)A®B if x ^ FY{B) 

(9) [^a.A/a\A ^ fia.A 

Proof. These proofs are all standard. 



□ 
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We next show that < is a precongruence. We first show it for some basic type con- 
structors. 

Lemma A. 3 (Precongruence, simple cases). If A < A' then 

(1) A\B < A'\B' ifB<B' 

(2) {x/y)A < {x/y)A' 

(3) {ux)A < {ux)A' 

(4) A]s < A'U 

(5) Als < A'ls 

Proof. These follow from the fact that the following relations are all simulations-up-to. 

7^l= {{A \B,A'\B')\A < A', B < B'} 
TZ2= {{{y/x)A, {y/x)A') \ A < A'} 
n^= {{{ux)A,{ux)A') \ A < A'} 
Tli={{A]s,A']s)\A < A'} 

n5={iAis,A'ls)\A < A'} □ 

We now show that < is closed under arbitrary type constructors. FTV(i?) below is 
the set of free (i.e., not bound by /x) behavioral type variables. 

Lemma A. 4 (Precongruence, general cases). If A < A' and FTV(i?) C {a}, then 
[A/a]B < [A'/a]B. 

Proof Let 7^= {{[A/a]B, [A'/a]B)}. We wih prove (i) if [A/a]B -U Bi then [A'/a\B =^ 

B[ with BiTZ< B[, hy induction on the derivation of [A' / a] B — ^ B[ . We will also prove 
(ii) disabled{[A/ a]B , S) implies disabled{[A' /a]B, S), by induction on the structure of B in 
the extended case. In other words, 7^ is a simulation-up-to. Hence (Lemma lA.ll'ij) it is in 
< . 

We start with (i), with case analysis on the last rule used, li B = a, then the required 
condition follows immediately from A < A'. So we consider the case B ^ a below. 

(1) Case (TR-Act). In this case, B = l.B^, so 

[A/a]B = l.[A/a]B, ^ [A/a]B^ = Bi. 

We also have 

[A'/a]B = l.[A/a]B., ^ [A'/a\B., = B[. 

By construction of TZ, we have Bi TZ B[ < B[ as required. 

(2) Case (Tr-Par1). We show only the left case. B = Bx\By and we assumed 

[A/(y\Bx Bxi to make 

[A/a]B = [A/a]B^\[A/a]By -U B^i\[A/a]By = Bi. 

By the induction hypothesis, [A' /a\Bx ==^ B'^^ with Bxi ^< ^ii- (Note that a is 
not free in B^i or B'^^. ) That gives 

[A'/a\B = [A'/a]Bx\[A'/a\By ^ B'^M'/^ABy = B[. 

It remains to prove Bi TZ< B[. By the condition Bxi TZ < B'^^, there exists C such 
that 

Bxi = [A/a]C [A'/a]C < B'x^ 



RESOURCE USAGE ANALYSIS FOR THE vr-CALCULUS 



33 



So, we get: 

Bi = [A/a] (C I By) n [A' /a] (C | By) 

= [A'/a]C I [A'/a]By < B'^, \ [A'/a]By = B[. 

Here, we have used Lemma lA.3| Part^ 

(3) Case (Tr-Par2). We show only the left case. B = Bx\By and we assumed 

[A/aJfij; Bxi and [A/Q\By Byi to make 

[A/a]B = [A/a]B,\[A/a]By B,i\Byi = B^. 

By the induction hypothesis, [^'/aJiJi: ==^ B'^-^^ and [A' /a\By =^ B'y^ with B^i TZ < 
B'^^ and Byi 7^< B'y-^. That gives 

[A'/a]B = [A'/a]B, \ [A'/a]By B',, \ B'y, = B[. 

It remains to prove BilZ< B[. From B^i TZ< B'^^ and Byi 1Z< By^, there exist 
Cx and Cy such that 

Bxi = [A/a]Cx [A'/a]Cx < B'^^ 
Byi = [A/a]Cy [A'/a]Cy < B'y, 

Hence, Bi = [A/a]{Cx \ Cy) 7^ [A'/a]iCx \ Cy) < B[. 

(4) Cases (Tr-Com) and (Tr-Or). These cases follow immediately from the induction 
hypothesis. 

(5) Case (Tr-Rep). Then B = *Bx and [A/a\B = *[A/a]Bx [A/a\B -U Bi 
must have been derived from 

[A/a]{Bx \*Bx) = [A/a]Bx \ *[A/a]Bx ^ Bi. 
By the induction hypothesis, there exists B[ such that 

Bin< B[ and [A' /a] (B^ \*Bx)^ B[ . 

Using (Tr-Rep), we get [A'/a\B =^ B[ as required. 

(6) Case (Tr-Rec). Then, we have B = fi/3.Bx to make 

[A/a]B = fip.[A/a]Bx ^ Bi 

where we assumed [fip.[A/a\Bx/ /3][A/a]B,j: — ^ Bi. But /? does not clash with A 
or a so these two substitutions swap around, giving 

[A/a][fip.Bx/P]Bx^Bi. 

By the induction hypothesis, 

[A'/a\[fif3.Bx/P]Bx^ B[ 

with Bin< B[. Hence 

[A'/a]B = ^xp.[A'/a]Bx^B[ 

as required. 
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(7) Case (Tr- Rename). Then, B 



^ ^ ly/x]l ^ ^ 

{y/x)B.j;. [A/a\B — > {y/x)Bxi = Bi must have 



been derived from [Ala\Bx — > B^i- From the induction hypothesis, we get 

[A'/a]Bx^B',^ Bxin<B',^. 
Let B'l = {y/x)B'^-^. It remains to prove BiTZ< B[. By B^i TZ< B'^^, there exists 

B,i = [A/a]C [A'/a]C < B',,. 



C such that 



So, we have: 



5i 



[A/a]{y/x)Cn[A'/a]{y/x)C 
= {y/x)[A'/a]C < {y/x)B'^, = B[. 

Here, we used the fact that < is preserved by (y/x) (Lemma IA.3I PartE)). 
(8) Cases (Tr-Hiding), (Tr-Exclude), and (Tr-Project): Similar to (Tr-Rename). 

We use the fact that < is preserved by i^, -J, 5, and -j^ (Lemma IA.3|) . 
Extended case only: In addition we need to show that disabled([A/a]B, S) imphes 
disabled{[A' /a]B, S). This fohows by straightforward induction on the structure of B. □ 

Lemma A. 5 (Substitution). 



(1) {y/x)0^ 

(2) {y/x){a.A) ^ 

(3) {y/x){z^.A) 

(4) {y/x){A\B) . 

(5) {y/x){A®B) 

(6) {y/x){*A) « 

(7) {y/x){h/a)A 

(8) {y/x){uz)A^. 

(9) {y/x){A]s) ^ 
{y/x){Ais) p 
if Sr^{x,y}= 

(10) {y/x){A]s) ^ 



{[y/x]a).{y/x)A 
^ {[y/x]z)^.{y/x)A 
i {v/j:)A I {y/x)B^ 
^ {y/x)A e {y/x)B 
*((y/x)A) 

~ {[y/x\b/o){y/x)A if target{a)n{x,y}=9 
i {i^z)i{y/x)A) if{z}n{x,y}=$ 
i {(ylx)A)\s, and 
. {y/x)Ais « Ais, 



A]s, if{x}'ZS 

Proof. Most parts are straightforward, although Part Blis non-obvious in the case of labels 
{x,y}. For Part0J we construct a relation S = {{{y/x){A\B), {y/x)A\{y/x)B)} and prove 
S and are simulations. The interesting case is when we infer 

{y/x)A'\{y/x)B' 



{y/x)A\{y/x)B 



from 



This gives 



Hence 



A' 



B^B' 



[y/x]zi = [y/x]z2- 



A\B ^^^^^ A'W. 



{y/x)iA\B) 



{y/x)iA'\B'). 



And hence as required 

{y/x){A\B)-^ {y/x){A'\B'). 
Part I2I Here we construct 5 = {( {y/x){A1 g), {{y/x)A)1g )} where S does not clash 
with {x,y}, and we prove that S and are simulations. We focus on two cases. 
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(1) Suppose {{y/x)A)]g [{y / x)A')] g is inferred from 

A^ A' and target{\y /x\l)r^S = 0. 

We must infer that {\jjx)(^A\g) — > This requires target{l)r\S = 0, 

which we prove as follows. It is assumed that S does not clash, so {x, y}riS = 0. We 
also have target{[y /x]l)riS = 0, and so [y /x]{target{l))riS = 0. Let T = target{l). 
Suppose z G T. Then either zGx so z^S, or zGy so z^S,ovz^ {x, y} so 
z E [y/x]T so z ^ S. In all cases z ^ S, so TnS = as required. 

(2) Suppose {{y/x)A)^g {{y/x)A')^g is inferred from A A' and target{[y/x\l) C S. 
We must infer {y/x){A]g) {y/x){A']g). This requires target{l) C 5, which 
we prove as follows. Once again let T = target{l). We have {x, y}n5 = and 
[y/x\T C S. Suppose z € T. Then [y/x]z e [y/x]T, and [y/x]z € S. Either z G x 
so y S, which is a contradiction. Or z ^ x, so [y/x]z = z ^ S. Hence T C S" as 
required. □ 

Lemma A. 6 (Exclusion and Projection). 

(1) 0\s^0 Ois-0 

(2) {at.A)]s-at.{A]s) {at.A)is^Tt.iAis) if target{a)nS=$ 

(3) (at.A)^ s^Tt.A] s {at.A)is^at.Ais if target{a%S 

(4) {z^.A)]s^z^.{A^s) {z^.A)[s^T,.Ais if target{z^)nS=% 

(5) {z^.A)]s^r,.A]s {z^ .A)[s^z^ .{Ais) if target{z^)CS 

(6) {A\B)]s^A]s I B]s {A\B)[s^Als \ B[s 

(7) {A®B)]s^A]s®B]s {A®B)is^Ais®Bis 

(8) {*A)]s^<A]s) {*A)is^^{A[s) 

(9) {A]s)]t-A\svjt {Ms)iT-MsnT 

(10) A]s^A A[s<0 f/FV(^)n5=0 

(11) ylT5<0 if¥\{A)<ZS 

Proof. Straightforward. □ 

Lemma A. 7 (Simulation). 

(1) If Ai < A2 then traceSx{Ai) C traceSx{A2) for any x. 

(2) IfA^^ A' then A A'. 

(3) A < A®B 

(4) AeA < A 

(5) A<A]s\ Ais 

(6) If[B/a]A < B then fia.A < B 

(7) -610-62 < A if and only if Bi < A and B2 < A 

Proof. These proofs are largely standard. 

Part ^follows immediately from the definitions of subtyping and traces. 
PartH Suppose [B/a]A < B. Let 7^ be 

{{[fia.A/a]A', [B/a]A') \ FTV(A') = {a}}. 

By Lemma Ia. 3121 It suffices to prove that 7^ is a simulation up to. 

Suppose that [ij,a.A/a\A' TZ [B/a\A' and [iJ.a.A/a\A' -—>■ A". We show that there 

exists B' such that [-B/a]^' =^ B' and A" TZ< B' by induction on the derivation of 
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[ljLa.A/a\A' A", with case analysis on the last rule used. We show main cases; the other 
cases are similar or straightforward. 

• Case (TR-Act): [fia.A/a\A' A" is derived from 

l.[fj,a.A/a\Ai — ^ [fia.A/a]Ai where A' = l.Ai and A" = [fia.A/a]Ai. Thus, 
[B/a]A' = I. [B/a]Ai -U [B/a]Ai. 

• Case (TR-ParI): [iJ.a.A/a\A' A" is derived from 

[^ia.A/a]Ai A'^ where A' = Ai\ A2 and A" = A[ \ [fia.A/a]A2. By the induction 

hypothesis, there exists B[ such that ==4> B[ and A[ TZ< B[. Thus, we 

have [B/a]A' ^ B[ \ [B/a]A2. It remains to show A" = A[ j [fia.A/a]A2 7^ < 
B[ I [B/a]A2. From A[ 7^< B[, we get 

A[ = [na.A/a]C [B/a]C < B[ 

for some C. So, 

A" = A[ I [fia.A/a]A2 = [fia.A/a]{C \ A2) 

n [B/a]{C I A2) = [B/a]C \ [B/a]A2 < B{ \ [B/a]A2 

• Case (TR-PAR2): [na.A/a]A' A" is derived from [fia.A/a]Ai A[ and 
[fj,a.A/a]A2 A!^ where A! = Ai\A2 and A" = A[ 1^2. From the induction 
hypothesis, there exist B[ and B2 such that =^ B[ and A'^ TZ< B[ and 

[B/a]A2 ^ B'2 and A'^ 7^< B'^. Thus, we have [B/a]A' B'^lB'^. From 

A[ TZ< B[ and A'^ 7^ < -B^, we get A[ | ^'2 7^ < B[\ B'^ as required. 

• Case (TR-Rec): 

— Case A' = fj,p.Ai: [fia.A/a\A' — ^ A" is derived from 

[fxa.A/a] [nP.Ai//3]Ai 

= [nf3.[fia.A/a]Ai//3][fia.A/a]Ai -U A". 

Here, we assumed without loss of generality that (3 is not free in A and B. 
Thus, by the induction hypothesis, there exists B' such that 

[fiP.[B/a]Ai/p][B/a\Ai = [B / a][nf3.Ai/ (5]Ai ^ B' 

and A" 1Z< B' . Using (Tr-Rec), we obtain [B/a]A' = ii(3.[B/a]Ai =^ B' 
as required. 

— Case A' = a: [fia.A/a]A' is equal to fia.A. From fia.A < B, there exists B' 
such that B ==^ B' and A" < B' as required. 

Extended case only: We also need to prove that 

disabled{[fia.A/a]A' , S) implies disabled{[B /a]A' , S) for any A' . 

This is proved by induction on the derivation of disabled{[fia.A/a]A' , S). We show the only 
non-trivial case, where disabled{[fia.A/a]A' , S) has been derived by using the last rule in 
Figure [Tj The other cases follow immediately from the induction hypothesis. 
There are two cases to consider. 
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• Case where A' = a: Then, [^a.A/a]A' = fia.A and disabled{iJ,a.A, S) must have 
been deduced from 

disabled{[fj,a.A/a]A, S). By the induction hypothesis, we have disabled{[B /a]A, S). 
By the assumption [i?/a]74 < B, we have disabled{B , S) as required (note that 
[B/a]A' = B in this case). 

• Case where A' = fif3.C. Let C be [^ia.A/a]C . Then, [fia.A/a]A' = fj,(3.C', and 
disabled{fi(3.C' , S) must have been derived from disabled{[n(3.C' / f3]C' , S). Here, we 
note 

[fiP.C'/p]C' = [^la.A/a][|JL[3.C/|3]C. 
So, from the induction hypothesis, we get 
disabledi [B /a][n(5.C/f3]C,S), i.e., 

disabled{ [nP.[B /a]C/p] [B /a] C, S) . 
By using the last rule of Figure Q we get disabled{[B / a]A' , S) as required. □ 

Appendix B. Proof of the Subject Reduction Property 

In this section, we prove the subject reduction property used in the proofs of The- 
orems 18.141 and 15.81 As in Appendix El we prove it for the basic and extended cases 
simultaneously. 

Lemma B.l (Weakening). (1) If T > v : a and x ^ dom{T) , then T,x : a' > v : t. 
(2) IfT>P:A and X ^ FV(P) and x not in dom{T) or FY{A) then T, x:a>P:A. 

Proof. Part 1 is straightforward. Part 2 is proved by straightforward induction on the 
derivation oi T > P : A. □ 

Lemma B.2 (Judgement substitution). 

(1) (For values) If T ,x :a \> y: a and T ]>v:a then T i> : a. 

(2) (For processes) IfT,x:a>P:A and T >v -.a then T > \v/x]P : {v/x)A. 

Proof. Part ^ Either y = Xi for some i, in which case ^/x\y = Vi and a = ai, so that the 
result follows from T\>v -.a. Or y ^ S, in which case \v/x\y = y and y : a is in P. We remark 
that types a never have free names. 

Part [2J By induction on the derivation of ri>P : yl. Most cases follow straightforwardly 
on Lemma IA. 51 We consider four particular cases. 

(1) Case (T-Sub), where T,x :t > P : A is inferred from 

T,x:t>P:A' A' < A 

From the induction hypothesis, P > \^/x\P : {v/x)A' . By Lemma IA. 3121 and assump- 
tion A' < ^ we get {v/x)A' < {v/x)A, and hence as required P > \v/x]P : {v/x)A. 

(2) Case (T-NewR), where T,x:t> {^"^ z)P : A] is inferred from 

T,x:t, z: res > P : A traceSj;(74) C $ 

Assume by alpha-renaming that z does not clash with x or v. From Lemma IA.5191 
we get ~ {{'^/^)^)i{z}y giving traces2(j4) = tracesz{{v /x)A) and hence 

tra.ceSz{{v/x)A) C <I). From T>v:t and Lemma IB. 11 we get T, z ■.res>v -.t. So, by 
the induction hypothesis, P, z : res > \v/x]P : {v/x)A. These two together give 

T>im''z)[v/x]P:{{v/x)A)]^,y 
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For the process (9T*2;)['y/5;]P, we can push the substitution out by definition of the 
substitution operator and because z {x, u}. For the behavior we use 

Lemma Ia.5191 to push it out. Hence as required, 

r>[?y/5?](0T*z)P:(?f/i)(AT|,}). 

Extended case only: Just replace traces with etraces in the above reasoning. 
(3) Case (T-Out), where F, x : r > P : z. (^(^w ly)A\ \A2) is inferred from 

Y -.T P : A2 r,5?:rl>{t;:cj 
F, X : r 2; : chan((y : o^Ax) 

Part n implies F > [i;/x]?I; : a and F > [i;/x]z : chan((y : cr)j4i). From the induction 
hypothesis, we get F i> [iJ/xjP : ((v/x)A2. These three give 



F > [v /x\z{[v / x\w) . [v/x\P : [v /x\z. {{[v /x\w /y) Ai\{v / x) A2) 

For the process we push the substitution out by definition of the substitution oper- 
ator. For the behavior we push it out using several parts of Lemma lA. 51 
(4) Case (T-In), wh.eie T ,x :t \> z{y). P : z. {A2] ^y^) is inferred from 

T,y:a,x:T>P:A2 F, x : r > z : chan((y : d-)Ai) 

A2i{y} < A, 

We use three deductions. First from Part ^ we get F > \v /x\z : chan{{y : a)Ai). 
Second, from assumption ^2i{y} < Ai and Lemma [A. 3121 we get {v/x){A2i^yj) < 
{v/x)Ai. The substitution on the right disappears because FV(Ai) C {y} and we 
can assume by alpha-renaming that y does not clash with {x, v}. The substitution on 



the left can be pushed inside by Lemma lA.5191 These together give {{v/x)A2)i^yj 



< 



Ai. And third, from the induction hypothesis we get F, y : a>[v/x]P : {v/x)A2. These 
three give 

F > [vmz{y). [vmP : [v/^z. {{{v /x) A2)] ^y^) 

As in the previous case we push the substitution out in the process and the behavior 
to get, as required, 

F > [vm{z{y). P) : {v/x){z. (^2T{jj})). □ 

Lemma B.3 (Subject-reduction). 

(1) IfT>P:A and P then rt>Q:A. 

(2) (Subject-reduction) If P h P' and Vt> P:A then A ^ A' and F > P' : A' for some 
A'. 

Proof. Part ^ By induction on the derivation of P ^ Q. Most cases use Lemma |A.2I 
The case for {vx) P\Q ■< {vx) {P\Q) uses Lemma IB. II The only interesting case is that for 
(OT*x)P|Q < (ai*x)(P|Q) with X ^ FV(Q). The judgement T > x)P\Q : A must have 
been inferred from 

F,x:resi>P:yl3 traces^ (A3) C $ A^-\s^^^ < Ai 
T>Q:A2 Ai\A2 < A 
From these and Lemma IB. 11 we infer 

F, x: res [>P|Q 1^31^2. 
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By alpha-renaming assume X ^ FV(A2). Bv Lemmas lA.6l6l and lA.6llll we get (^3|A2)i{x} ~ 
^3i{a;}l^2i{a;} < ^3i{x} i a^d then by Lemma|X2lI]we get traces^, (A3 1^42) C traceSa;(A3), 
and so traceSx{A3\A2) Q This gives 

T>{m^x){P\Q):{A,\A2)^,y 

Finally (743|A2)T{a;} ^ ^3T{a:}l^2 < Ai\A2 < A. This gives as required 

T>{m'^x){P\Q):A. 

Extended case only: Just replace traces with etraces in the above reasoning. 

Part [2J By induction on the derivation of P -—^ P' . We show main cases. The other 
cases are straightforward. 

• Case (R-Com): We are given 

T>x{v).Pi\x{y).P2:A. 
This must have been deduced from 

ri>^(i;).Pi : ^1 
T\>x{y).P2:A2 
Ai\A2 < A. (B.l) 
T >x{v). Pi : Ai and T > x{y). P2 : A2 must have been deduced from 

r>Pi:A3 (B.2) 
r>x:chan((y :a)A4) (B.3) 
r>Vi:ai (B.4) 
X. {{v/y)Ai I A3) < Ai (B.5) 

and 

T,y:a>P2:A^ (B.6) 
Fox: chan((y : a)Ai) 

A^iy} < ^4 (B.7) 
x.(A5T{^}) < A2 (B.8) 

respectively. We must show A ^ A' and F > Pi\[v/y\P2 : A' for some A'. We pick 
some A' such that A ^ A' and A' > {v /y)A4^\A3\A^] The existence of such 
A' is guaranteed by A > x. {{v/y)A4\A3)\x. {A^^y}) — > {v/y)A4\A3\A5^{yy, which 
follows from (B.l) and (B.5) and (B.8), and the definition of the subtyping relation 
(Definition K-j. 5 jl . It remains to prove Fl> Pi | P2 : A' . We start with the judgment 
(B.6), 

T,y:a>P2:A5. 

By Lemma IB^ 

T>[v/y\P2:{v/y}A5. 

Hence 

T>Pi\[v/y\P2:A3\{v/^A5. 
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Therefore, the required result F i> Pi | [v/y\P2 : A' fohows by (T-Sub), if we show 
^3 I (vly)A^ < A'. It fohows by: 

A3\{v/y)A5 < Agj |^5^r{^}) (Lemma 1X71^ 

< A3 I (v/y)(^5i{^}) I (v/y)(A5T{^}) (Lemm a IXKRI 

< ^3 I {v/y){A5i{y}) I ^5T{^} (LemmaEmni 

< ^3 I {v / y) A^lAc^] (assumption B.7 above) 

< A' (the definition of A'). 

• Case (R-Acc): We are given F i> acc^(x).Pi : A. This must have been derived from 

- T>Pi:Ai 

- r c> X : res 

- x^.Ai < A. 

We have to show that 

- r Pi : ^' 

- A^A'. 

Let A' be a behavioral type that satisfies A =^ A' and A' > Ai. Such A' is 

guaranteed to exist by ^ > x^.Ai Ai. Then, T> Pi: A' follows from T\> Pi : Ai 
and A' > Ai. 

• Case (R-NewR1): We are given ri> (9T*x)Pi : A This must have been derived from 

T,x : res l> Pi : Ai 

- tracesa;(j4i) C $ 

- A> ^iT{,.|. 

We have to show that there exists A' such that 

- T>{m'^~^x)Pi:A' 

- A^A' 
where Pi — > P[. 

By the induction hypothesis, there exists A'^ that satisfies F, x : res i> P[ : A'^ 

and Ai A[. Using (Tr-Project), we get AiJ,|^} =^ ^ii{x}- So, from the 
definition of traces and tracesa;(j4i) C <I), we get traces2,.(A']^) Q <I>~^. By using 
(T-NewR), we get F > {m'^'^x)P{ : A[^^y 

It remains to show there exists A' such that j4']^||^| < A' and A =^ A'. That 

follows from A > Ail^^y =^ Here, the latter relation follows from Ai 

A[ and rule (Tr- Exclude). 

Extended case only: Just replace traces with etraces in the above reasoning. 
» Case (R-SP): This follows immediately from Part^and the induction hypothesis. □ 



Appendix C. Proofs of the Lemma for Theorem 15.81 

This section gives a proof of the lemma "Disabled" used in the proof of Theorem 15.81 

Lemma C.l (Disabled). If well -annotated (P) and T >pi P : A with hool ^ codomiV) , then 
P —/-^ implies disabled{A, S) for any S. 

Proof. We first note that well -annotated {P) and P —/-^ imply ^active{P) by the definition 
of well -annotated {P). So, it is sufficient to show (i)F c>p/ P : A, (ii)P —/-^, (iii)-iacii?;e(P), 
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and (iv) bool codom{T) imply disabled{A, S) for any S. We prove this by induction on 
the derivation of T >pi P : A, with case analysis on the last rule. 

• Case (T-Zero): In this case, ^ = 0, so we have disabled{A, S) for any S. 

• Case (T-Out): In this case, P = xt{v).Pi and 

A = Xf {{^/y)Ai I ^2)- Since -^active{P), t = So, we have disabled{A, S) for any 
S. 

• Case (T-In): In this case, P = Xt{jj)-Pi and A = xt- (^2T{y})- Since ^active{P), 
i = 0. So, we have disabled{A, S) for any S. 

• Case (T-Par): In this case, P = Pi | P2 and A = A\\A2 with V >pi Pi : A\ and 
r i>p/ P2: A2. Note that P —/-^ implies Pi —/-^ and P2 —/-^- ^active{P) implies 
-^actwe{Pi) and ^active{P2). So, by the induction hypothesis, we get disabled{Ai, S) 
and disabled{A2, S) for any S, which implies disabled{A, S). 

• Case (T-Rep): In this case, P = *Pi and A = *Ai, with T >pi Pi: Ai. ^actwe{P) 
and P -/-^ imply ^active{Pi) and Pi So, by the induction hypothesis, we get 
disabled{Ai, S) for any S, which also implies disabled{A, S) as required. 

• Case (T-If): This case cannot happen; by the condition (iv), P must be of the form 
if true then Pi else P2 

or if false then Pi else P2 , which contradicts with P 

• Case (T-New): In this case, P = (i^x) Pi, A = (i^x) A2, and T, x : chan((y : cr)^i) > 
Pi : A2- ^active{P) and P -/-^ imply ^active{Pi) and Pi -/-^. So, by the induction 
hypothesis, we get disabled{A2, S) for any S. By the definition of disabled^-, S), we 
get disabled{A, S). 

• Case (T-Acc): This case cannot happen, since P must be of the form acc^(x).Pi, 
which contradicts with P 

• Case (T-NewR): Similar to the case for (T-New). 

• Case (T-Sub): r>pi P : A must be derived from r>pi P : A' for some A' < A. By the 
induction hypothesis, for any 5, we get disabled{A' , S). By the condition A' < A, 
we have disabled{A, S) for any S. □ 

Appendix D. Computing a Basis of Behavioral Type 

This section is an appendix for Section [4.3.11 Let ^ be a behavioral type of the form 
(vy) B, where B does not contain any z/-prefix. Such A can be obtained by pushing all the 
z^-prefixes out to the top-level, as described in Section Pi. 3. II We show how to compute a 
basis of A below. 
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The constructor -j^ can be eliminated by running the algorithm Elimllp ' {B, 0) below. 

ElimUp^'^{0,S) = 
ElimUp^'^{a,S) = 



\ fip.ElimUp^^^'''^^'^^^'^{D{a), S) if {a, S) ^ dom{F) 
ElimUp^'^{l.A,S) = {l\S).ElimUp^'^{A,S) 
ElimUp^^^{Ai \A2,S) = ElimUp^'^{Ai,S) \ ElimUp^^^ {A2, S) 
ElimUp^'^{Ai®A2,S) = 

ElimUp^'^{Ai,S) e ElimUp^^^{A2, S) 
ElimUp^'^{*A,S) = *ElimUp^^^{A,S) 
ElimUp^^^{{y/x)A,S) = ElimUp^'^ {A, {z \ [y/x]z € S}) 
ElimUp^'^ilia.A,S) = ^a.^ZimC/p^«°"^)^">'^{"^^>(A ^) 
ElimUp^^^{A]s,,S) = ElimUp^^^iA, S U 5i) 
ElimUp^'^{Aisi,S) = ElimUp^'^{A,S)is, 



Here, l\S is r if target{l) C S and I otherwise. D keeps recursive definitions and F is a 
cache for avoiding repeated computation. If A does not contain z/-prefixes, ElimUp'^''^{B,$) 
always terminates since S can range over a finite set (which is the powerset of FY{B)). 
The constructor -Ig can be removed in the same manner. 

We can further eliminate the renaming constructor (y/x) by using the following algo- 
rithm. 



\ fil3.ElimRen^^^'''^^^'^^'^{D{a),9) if (a, 9) ^ dom{F) 

ElimRerf^^{l.A,e) = ei.Elim,Ren^'^{A,e) 

ElimRevF^'^lAi | ^2, ^) = ElimRen^^^^{Ai,e) | ElimRen^'^{A2,e) 
ElimRerf^^{Ai ® A2,e) = 

ElimRen^'^{Ai, 9) ElimRen^^^{A2,e) 
EUmRer/^^{*A,e) = *ElimRen^^^ {A,0) 
ElimRen^'^{{y/x)A,e) = ElimRen^^^{A,9 o [y/x]) 
ElimRen^'^{na.A,9) = iia.ElimRer/^^'^'^^^°''>^^^'^^^'^ {A,9) 



By applying the above algorithms to A = {vy) B, we obtain an equivalent type A' = 
{yy) B' , where B' docs not contain any z^-prefixes, -[g, -js' °^ iv/^)- So, only elements 
of Atoms(i?') defined below (modulo folding/unfolding of recursive types) can appear in 
transitions of B. So, {{y} , Atoms{B')) forms a basis of A. 

Definition D.l. Let ^4 be a behavioral type that does not contain any z/-prefix, -Ig, - js, 
or (y/x). The set of atoms Atoms(A) is the least set that satisfies the following conditions. 



Atoms(LA) D {LA} U Atoms(^) 

Atoms(Ai I A2) 2 Atoms(yli) U Atoms(^2) 

Atoms(Ai © A2) 2 {^1 © A2} U Atonis(74i) U Atoms(A2) 

Atoms(*A) D {*A} U Atoms(yl) 

Atoms{iJ,a.A) D {na.A} U Atoins{[iJ.a.A/a]A) 




if F{a, S)=A 



ElimRen^^'^{0,9) = 
ElimRen^^^{a,9) = 




if F{a, 9) = A 



